CVE-2015-0855 – This vulnerability in Pitivi video editor allow... (How to Fix)

Q: What is the severity of CVE-2015-0855?

CVE-2015-0855 has a CVSS score of 9.8 (CRITICAL). This vulnerability in Pitivi video editor allows attackers to execute arbitrary code by providing specially crafted file paths containing shell metacharacters. The _mediaLibraryPlayCb function passes user-controlled file paths directly to shell commands without proper sanitization. Users running vulnerable versions of Pitivi are affected.

📋 TL;DR

This vulnerability in Pitivi video editor allows attackers to execute arbitrary code by providing specially crafted file paths containing shell metacharacters. The _mediaLibraryPlayCb function passes user-controlled file paths directly to shell commands without proper sanitization. Users running vulnerable versions of Pitivi are affected.

💻 Affected Systems

Products:

Pitivi

Versions: All versions before 0.95

Operating Systems: Linux, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems where Pitivi is installed and users open untrusted media files.

📦 What is this software?

Pitivi by Pitivi

View all CVEs affecting Pitivi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control over the user's system, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Local privilege escalation or arbitrary code execution in the context of the user running Pitivi, allowing attackers to access user files, install malware, or pivot to other systems.

🟢

If Mitigated

Limited impact if application runs in sandboxed environment with restricted permissions and no network access.

🌐 Internet-Facing: LOW - This requires local access or tricking users into opening malicious files, not directly exploitable over network.

🏢 Internal Only: MEDIUM - Risk exists if users run vulnerable Pitivi versions and open untrusted media files from internal sources.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction to open malicious file. Proof of concept details are publicly available in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.95 and later

Vendor Advisory: https://git.gnome.org/browse/pitivi/commit/?id=45a4c84edb3b4343f199bba1c65502e3f49f5bb2

Restart Required: No

Instructions:

1. Update Pitivi to version 0.95 or later using your distribution's package manager. 2. For Ubuntu/Debian: sudo apt update && sudo apt upgrade pitivi. 3. For source installations: Download latest version from official repository and rebuild.

🔧 Temporary Workarounds

Avoid opening untrusted files

all

Do not open media files from untrusted sources in Pitivi until patched.

Run in restricted environment

linux

Run Pitivi with reduced privileges using sandboxing tools.

firejail pitivi
bwrap --unshare-all --share-net --ro-bind /usr /usr --ro-bind /etc /etc --bind $HOME $HOME pitivi

🧯 If You Can't Patch

Uninstall Pitivi if not essential for operations
Implement application whitelisting to prevent execution of vulnerable versions

🔍 How to Verify

Check if Vulnerable:

Check Pitivi version: pitivi --version. If version is earlier than 0.95, system is vulnerable.

Check Version:

pitivi --version

Verify Fix Applied:

After update, verify version is 0.95 or later: pitivi --version

📡 Detection & Monitoring

Log Indicators:

Unusual process spawns from Pitivi
Shell command execution with unusual arguments from Pitivi process

Network Indicators:

Unexpected outbound connections from Pitivi process

SIEM Query:

process_name:"pitivi" AND (process_cmdline:*;* OR process_cmdline:*&* OR process_cmdline:*|* OR process_cmdline:*`*)

📊 Metadata

CVE ID: CVE-2015-0855

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: March 23, 2017

Last Updated: April 20, 2025

🔗 References

http://www.openwall.com/lists/oss-security/2015/12/23/8 Mailing List,Patch,Third Party Advisory
http://www.securityfocus.com/bid/97283
https://bugs.launchpad.net/ubuntu/+source/pitivi/+bug/1495272 Issue Tracking,Third Party Advisory
https://git.gnome.org/browse/pitivi/commit/?id=45a4c84edb3b4343f199bba1c65502e3f49f5bb2 Issue Tracking,Patch,Third Party Advisory
http://www.openwall.com/lists/oss-security/2015/12/23/8 Mailing List,Patch,Third Party Advisory
http://www.securityfocus.com/bid/97283
https://bugs.launchpad.net/ubuntu/+source/pitivi/+bug/1495272 Issue Tracking,Third Party Advisory
https://git.gnome.org/browse/pitivi/commit/?id=45a4c84edb3b4343f199bba1c65502e3f49f5bb2 Issue Tracking,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2015-0855, you might also want to check these: