Bug 960339 (CVE-2015-0855) - VUL-1: CVE-2015-0855: pitivi: CVE-2015-0855: Insecure use of os.system()
Summary: VUL-1: CVE-2015-0855: pitivi: CVE-2015-0855: Insecure use of os.system()
Status: RESOLVED FIXED
Alias: CVE-2015-0855
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other openSUSE 42.1
: P4 - Low : Minor
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/160071/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-12-29 15:44 UTC by Victor Pereira
Modified: 2016-01-11 13:11 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2015-12-29 15:44:29 UTC 
CVE-2015-0855

Double-clicking a file in the user's media library with a specially-crafted path or filename allows for arbitrary code execution with the permissions of the
user running Pitivi.

STEPS TO REPRODUCE:
             1. Create a directory hierarchy like so:
                "images/$(xeyes)/", and place an image "hello.png" in
                "images/$(xeyes)/".
             2. Drag and drop "images" to the Pitivi media library.
             3. Double click the image "hello.png" in the media library

The `xeyes` program (if installed on your system) should start.

See pitivi/mainwindow.py:_mediaLibraryPlayCb().

An exploit scenario would require an attacker to provide a
specially-crafted directory hierarchy or file path. Since Pitivi does
not expose the path to the user, and a workflow of consuming content
created by others is common when working with media files, such a
scenario occurring is not hard to imagine.


References:
https://git.gnome.org/browse/pitivi/commit/?id=45a4c84edb3b4343f199bba1c65502e3f49f5bb2 (upstream fix)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0855
http://seclists.org/oss-sec/2015/q4/574
Comment 1 Swamp Workflow Management 2015-12-29 23:00:51 UTC 
bugbot adjusting priority
Comment 2 Dominique Leuenberger 2015-12-30 10:24:45 UTC 
Patch from upstream backported and added to 13.2 and Leap 42.1 builds.
Submitted as SR

351304  State:review     By:dimstar      When:2015-12-30T10:22:52
        maintenance_incident: home:dimstar:branches:OBS_Maintained:pitivi/pitivi.openSUSE_13.2_Update@c7d0dd84daee09b6b8ab139bfa5c68a2 -> openSUSE:Maintenance (release in openSUSE:13.2:Update)
        maintenance_incident: home:dimstar:branches:OBS_Maintained:pitivi/pitivi.openSUSE_Leap_42.1_Update@5ad578a591375c03c95c1ba1e57a3203 -> openSUSE:Maintenance (release in openSUSE:Leap:42.1:Update)
        Review by User       is new:       maintbot                                          
        Descr: Fix security issue in pitivi


(the packages have been 100% aligned again, which is why the leap package has some more references to bugs, which are NOT specific to this very update. But it's cleaner to keep the sources identical)
Comment 3 Andreas Stieger 2016-01-02 21:43:06 UTC 
Update running. 13.1 not affected.
Comment 4 Andreas Stieger 2016-01-11 10:09:03 UTC 
Releasing update
Comment 5 Swamp Workflow Management 2016-01-11 13:11:20 UTC 
openSUSE-SU-2016:0065-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 960339
CVE References: CVE-2015-0855
Sources used:
openSUSE Leap 42.1 (src):    pitivi-0.94-7.1
openSUSE 13.2 (src):    pitivi-0.94-2.9.1