A flaw was fixed in pitivi 0.95: Double-clicking a file in the user's media library with a specially-crafted path or filename allows for arbitrary code execution with the permissions of the user running Pitivi. An exploit scenario would require an attacker to provide a specially-crafted directory hierarchy or file path. Since Pitivi does not expose the path to the user, and a workflow of consuming content created by others is common when working with media files, such a scenario occurring is not hard to imagine. This was fixed in version 0.95 with commit: https://git.gnome.org/browse/pitivi/commit/?id=45a4c84edb3b4343f199bba1c65502e3f49f5bb2 External References: http://seclists.org/oss-sec/2015/q4/574
Created pitivi tracking bugs for this issue: Affects: fedora-all [bug 1295362]