Date: Wed, 23 Dec 2015 22:27:33 +0100 From: Salvatore Bonaccorso <carnil@...ian.org> To: OSS Security Mailinglist <oss-security@...ts.openwall.com> Cc: Luke Faraone <lfaraone@...ian.org>, Debian Security Team <team@...urity.debian.org>, CVE Assignments MITRE <cve-assign@...re.org> Subject: pitivi: CVE-2015-0855: Insecure use of os.system() Hi Luke Faraone reported the following issue in pitivi to the Debian security team on 13th of september, which got CVE-2015-0855 assigned. There seems to have been a problem in propagating the CVE assigned though, so we apologies for that. The assigned CVE is not mentioned in the NEWS, but see below for the fixing commit. Luke Faraone <lfaraone@...ian.org>: > SYNOPSIS: > Double-clicking a file in the user's media library with > a specially-crafted path or filename allows for > arbitrary code execution with the permissions of the > user running Pitivi. > > STEPS TO REPRODUCE: > 1. Create a directory hierarchy like so: > "images/$(xeyes)/", and place an image "hello.png" in > "images/$(xeyes)/". > 2. Drag and drop "images" to the Pitivi media library. > 3. Double click the image "hello.png" in the media library > > The `xeyes` program (if installed on your system) should start. > > See pitivi/mainwindow.py:_mediaLibraryPlayCb(). > > An exploit scenario would require an attacker to provide a > specially-crafted directory hierarchy or file path. Since Pitivi does > not expose the path to the user, and a workflow of consuming content > created by others is common when working with media files, such a > scenario occurring is not hard to imagine. This issue was fixed upstream in 0.95 with commit 45a4c84edb3b4343f199bba1c65502e3f49f5bb2.  http://www.pitivi.org/  https://git.gnome.org/browse/pitivi/commit/?id=45a4c84edb3b4343f199bba1c65502e3f49f5bb2 Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ