Red Hat Bugzilla – Bug 1295361
CVE-2015-0855 pitivi: insecure use of os.system()
Last modified: 2016-08-10 04:45:24 EDT
A flaw was fixed in pitivi 0.95:
Double-clicking a file in the user's media library with a specially-crafted path or filename allows for arbitrary code execution with the permissions of the user running Pitivi.
An exploit scenario would require an attacker to provide a specially-crafted directory hierarchy or file path. Since Pitivi does not expose the path to the user, and a workflow of consuming content created by others is common when working with media files, such a scenario occurring is not hard to imagine.
This was fixed in version 0.95 with commit:
Created pitivi tracking bugs for this issue:
Affects: fedora-all [bug 1295362]