A security issue in pitivi was announced on December 23: http://openwall.com/lists/oss-security/2015/12/23/8 The issue was fixed upstream in 0.95 and the message above contains a link to the upstream commit to fix the issue. Reproducible: Steps to Reproduce:
Pushed new release [1] to core/updates_testing which fixes the issue and also disables the new version available notification in About window. Link in comment 0 describes steps to reproduce the issue. [1] RPM/SRPM: pitivi-0.94-3.1.mga5
Assignee: jani.valimaa => qa-bugs
Advisory: ======================== Updated pitivi package fixes security vulnerability: In pitivi before 0.95, double-clicking a file in the user's media library with a specially-crafted path or filename allows for arbitrary code execution with the permissions of the user running Pitivi (CVE-2015-0855). References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0855 http://openwall.com/lists/oss-security/2015/12/23/8
mga5 x86_64 Mate PoC or not: Created directory pit containing subdirectory vlc and copied a PNG image to pit/vlc. Invoked pitivi and created a new project by importing pit and saving before exit. At this stage I was not sure exactly what images/$(xeyes)/ meant but set xeyes to "vlc" in a terminal and ran pitivi again and reloaded the new project which displayed the PNG image. Double-clicked on the image to launch a window entitled "xine: <image path>". I had been expecting vlc but the xine logo flashed up momentarily. However, I discovered that there is a program called xeyes so installed that and tried again with pit/xeyes/<PNG image>. This still used xine so it is not clear to me how to invoke arbitrary code. Installed pitivi-0.94-3.1 and ran the last test again by reloading the saved project and double-clicking the image. That again attempted to run xine so I started a new project and imported the said image. Double-clicking on it returned the same result; xine flashed up and left a window containing the image. Double-clicking on that expands the image to fullscreen and right-clicking on that brings up a xine menu including many facilities like 'play'. The welcome screen contains 'help' which provides an 'about' button which does not show any message about new version available. Is this update equivalent to 0.95? Help needed on this.
CC: (none) => tarazed25
Reverted to pitivi-0.94-3. Created directory img/$(eom) and placed the test image there. Back into pitivi to import the img tree. Double-clicked on the image in the main window and eom (Eye of Mate image viewer) started. That does confirm the PoC. Installed the update and followed the same procedure. This time xine was invoked, not eom.
Whiteboard: (none) => MGA5-64-OK
mga5 i586 vbox Mate Followed the same steps in virtualbox to exercise the Proof of Concept and saw eom launch a blank window. After the update pitivi launched ristretto to view the image. I think this can be validated and pushed to updates.
CC: (none) => sysadmin-bugsWhiteboard: MGA5-64-OK => MGA5-64-OK MGA-32-OKKeywords: (none) => validated_update
Whiteboard: MGA5-64-OK MGA-32-OK => MGA5-64-OK MGA5-32-OK
Whiteboard: MGA5-64-OK MGA5-32-OK => MGA5-64-OK MGA5-32-OK advisoryCC: (none) => davidwhodgins
Sorry Dave - I missed that - shall check which repository was used.
And sorry again - mixing up the bugs. Must be the time of year.
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0001.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
URL: (none) => http://lwn.net/Vulnerabilities/671468/