[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] pitivi: CVE-2015-0855: Insecure use of os.system()
From: Salvatore Bonaccorso <carnil () debian ! org>
Date: 2015-12-23 21:27:33
Message-ID: 20151223212733.GA9252 () eldamar ! local
[Download RAW message or body]
Hi
Luke Faraone reported the following issue in pitivi[0] to the Debian
security team on 13th of september, which got CVE-2015-0855 assigned.
There seems to have been a problem in propagating the CVE assigned
though, so we apologies for that. The assigned CVE is not mentioned in
the NEWS, but see below for the fixing commit.
Luke Faraone <lfaraone@debian.org>:
> SYNOPSIS:
> Double-clicking a file in the user's media library with
> a specially-crafted path or filename allows for
> arbitrary code execution with the permissions of the
> user running Pitivi.
>
> STEPS TO REPRODUCE:
> 1. Create a directory hierarchy like so:
> "images/$(xeyes)/", and place an image "hello.png" in
> "images/$(xeyes)/".
> 2. Drag and drop "images" to the Pitivi media library.
> 3. Double click the image "hello.png" in the media library
>
> The `xeyes` program (if installed on your system) should start.
>
> See pitivi/mainwindow.py:_mediaLibraryPlayCb().
>
> An exploit scenario would require an attacker to provide a
> specially-crafted directory hierarchy or file path. Since Pitivi does
> not expose the path to the user, and a workflow of consuming content
> created by others is common when working with media files, such a
> scenario occurring is not hard to imagine.
This issue was fixed upstream in 0.95 with commit
45a4c84edb3b4343f199bba1c65502e3f49f5bb2[1].
[0] http://www.pitivi.org/
[1] https://git.gnome.org/browse/pitivi/commit/?id=45a4c84edb3b4343f199bba1c65502e3f49f5bb2
Regards,
Salvatore
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic