Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 23 Dec 2015 22:27:33 +0100
From: Salvatore Bonaccorso <carnil@...ian.org>
To: OSS Security Mailinglist <oss-security@...ts.openwall.com>
Cc: Luke Faraone <lfaraone@...ian.org>,
	Debian Security Team <team@...urity.debian.org>,
	CVE Assignments MITRE <cve-assign@...re.org>
Subject: pitivi: CVE-2015-0855: Insecure use of os.system()

Hi

Luke Faraone reported the following issue in pitivi[0] to the Debian
security team on 13th of september, which got CVE-2015-0855 assigned.
There seems to have been a problem in propagating the CVE assigned
though, so we apologies for that. The assigned CVE is not mentioned in
the NEWS, but see below for the fixing commit.

Luke Faraone <lfaraone@...ian.org>:
> SYNOPSIS:
>                 Double-clicking a file in the user's media library with
>                 a specially-crafted path or filename allows for
>                 arbitrary code execution with the permissions of the
>                 user running Pitivi.
> 
> STEPS TO REPRODUCE:
>              1. Create a directory hierarchy like so:
>                 "images/$(xeyes)/", and place an image "hello.png" in
>                 "images/$(xeyes)/".
>              2. Drag and drop "images" to the Pitivi media library.
>              3. Double click the image "hello.png" in the media library
> 
> The `xeyes` program (if installed on your system) should start.
> 
> See pitivi/mainwindow.py:_mediaLibraryPlayCb().
> 
> An exploit scenario would require an attacker to provide a
> specially-crafted directory hierarchy or file path. Since Pitivi does
> not expose the path to the user, and a workflow of consuming content
> created by others is common when working with media files, such a
> scenario occurring is not hard to imagine.

This issue was fixed upstream in 0.95 with commit
45a4c84edb3b4343f199bba1c65502e3f49f5bb2[1].

 [0] http://www.pitivi.org/
 [1] https://git.gnome.org/browse/pitivi/commit/?id=45a4c84edb3b4343f199bba1c65502e3f49f5bb2

Regards,
Salvatore

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.