| Summary: | pitivi new security issue CVE-2015-0855 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, sysadmin-bugs, tarazed25 |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/671468/ | ||
| Whiteboard: | MGA5-64-OK MGA5-32-OK advisory | ||
| Source RPM: | pitivi-0.94-3.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2015-12-24 17:21:30 CET
Pushed new release [1] to core/updates_testing which fixes the issue and also disables the new version available notification in About window. Link in comment 0 describes steps to reproduce the issue. [1] RPM/SRPM: pitivi-0.94-3.1.mga5 Assignee:
jani.valimaa =>
qa-bugs Advisory: ======================== Updated pitivi package fixes security vulnerability: In pitivi before 0.95, double-clicking a file in the user's media library with a specially-crafted path or filename allows for arbitrary code execution with the permissions of the user running Pitivi (CVE-2015-0855). References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0855 http://openwall.com/lists/oss-security/2015/12/23/8 mga5 x86_64 Mate PoC or not: Created directory pit containing subdirectory vlc and copied a PNG image to pit/vlc. Invoked pitivi and created a new project by importing pit and saving before exit. At this stage I was not sure exactly what images/$(xeyes)/ meant but set xeyes to "vlc" in a terminal and ran pitivi again and reloaded the new project which displayed the PNG image. Double-clicked on the image to launch a window entitled "xine: <image path>". I had been expecting vlc but the xine logo flashed up momentarily. However, I discovered that there is a program called xeyes so installed that and tried again with pit/xeyes/<PNG image>. This still used xine so it is not clear to me how to invoke arbitrary code. Installed pitivi-0.94-3.1 and ran the last test again by reloading the saved project and double-clicking the image. That again attempted to run xine so I started a new project and imported the said image. Double-clicking on it returned the same result; xine flashed up and left a window containing the image. Double-clicking on that expands the image to fullscreen and right-clicking on that brings up a xine menu including many facilities like 'play'. The welcome screen contains 'help' which provides an 'about' button which does not show any message about new version available. Is this update equivalent to 0.95? Help needed on this. CC:
(none) =>
tarazed25 Reverted to pitivi-0.94-3. Created directory img/$(eom) and placed the test image there. Back into pitivi to import the img tree. Double-clicked on the image in the main window and eom (Eye of Mate image viewer) started. That does confirm the PoC. Installed the update and followed the same procedure. This time xine was invoked, not eom.
Len Lawrence
2015-12-29 20:23:57 CET
Whiteboard:
(none) =>
MGA5-64-OK mga5 i586 vbox Mate Followed the same steps in virtualbox to exercise the Proof of Concept and saw eom launch a blank window. After the update pitivi launched ristretto to view the image. I think this can be validated and pushed to updates.
Len Lawrence
2015-12-29 21:40:27 CET
CC:
(none) =>
sysadmin-bugs
James Kerr
2015-12-30 10:51:14 CET
Whiteboard:
MGA5-64-OK MGA-32-OK =>
MGA5-64-OK MGA5-32-OK
Dave Hodgins
2015-12-31 03:20:13 CET
Whiteboard:
MGA5-64-OK MGA5-32-OK =>
MGA5-64-OK MGA5-32-OK advisory Sorry Dave - I missed that - shall check which repository was used. And sorry again - mixing up the bugs. Must be the time of year. An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0001.html Resolution:
(none) =>
FIXED
David Walser
2016-01-11 21:31:43 CET
URL:
(none) =>
http://lwn.net/Vulnerabilities/671468/ |