Patch to fix the shell command injection pitivi Version 0.94
** Patch added: "patch for mainwindow.py , pitivi Version 0.94" https://bugs.launchpad.net/ubuntu/+source/pitivi/+bug/1506823/+attachment/4504236/+files/mainwindow.py.diff -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pitivi in Ubuntu. https://bugs.launchpad.net/bugs/1506823 Title: Shell Command Injection with a picture Status in pitivi package in Ubuntu: New Bug description: mainwindow.py , Line 486 os.system('xdg-open "%s"' % path_from_uri(asset.get_id())) If you import an image and double click on it to see a preview , any shell command in the picture name will be executet. For example : 1) rename a picture to this name $(xmessage hello world).png 2) import the picture 3) doubleclick on the picture entry in the media libary. 4) xmessage runs So, please use subprocess, not os.system screenshot attached ProblemType: Bug DistroRelease: Ubuntu 15.10 Package: pitivi 0.94-4 ProcVersionSignature: Ubuntu 4.2.0-15.18-generic 4.2.3 Uname: Linux 4.2.0-15-generic x86_64 ApportVersion: 2.19.1-0ubuntu2 Architecture: amd64 CurrentDesktop: Unity Date: Fri Oct 16 12:16:05 2015 InstallationDate: Installed on 2015-10-09 (6 days ago) InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009) SourcePackage: pitivi UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pitivi/+bug/1506823/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp