Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 23 Dec 2015 22:27:33 +0100
From: Salvatore Bonaccorso <carnil@...ian.org>
To: OSS Security Mailinglist <oss-security@...ts.openwall.com>
Cc: Luke Faraone <lfaraone@...ian.org>,
	Debian Security Team <team@...urity.debian.org>,
	CVE Assignments MITRE <cve-assign@...re.org>
Subject: pitivi: CVE-2015-0855: Insecure use of os.system()

Hi

Luke Faraone reported the following issue in pitivi[0] to the Debian
security team on 13th of september, which got CVE-2015-0855 assigned.
There seems to have been a problem in propagating the CVE assigned
though, so we apologies for that. The assigned CVE is not mentioned in
the NEWS, but see below for the fixing commit.

Luke Faraone <lfaraone@...ian.org>:
> SYNOPSIS:
>                 Double-clicking a file in the user's media library with
>                 a specially-crafted path or filename allows for
>                 arbitrary code execution with the permissions of the
>                 user running Pitivi.
> 
> STEPS TO REPRODUCE:
>              1. Create a directory hierarchy like so:
>                 "images/$(xeyes)/", and place an image "hello.png" in
>                 "images/$(xeyes)/".
>              2. Drag and drop "images" to the Pitivi media library.
>              3. Double click the image "hello.png" in the media library
> 
> The `xeyes` program (if installed on your system) should start.
> 
> See pitivi/mainwindow.py:_mediaLibraryPlayCb().
> 
> An exploit scenario would require an attacker to provide a
> specially-crafted directory hierarchy or file path. Since Pitivi does
> not expose the path to the user, and a workflow of consuming content
> created by others is common when working with media files, such a
> scenario occurring is not hard to imagine.

This issue was fixed upstream in 0.95 with commit
45a4c84edb3b4343f199bba1c65502e3f49f5bb2[1].

 [0] http://www.pitivi.org/
 [1] https://git.gnome.org/browse/pitivi/commit/?id=45a4c84edb3b4343f199bba1c65502e3f49f5bb2

Regards,
Salvatore

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ