Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 10 Jan 2014 01:01:41 +1100
From: Murray McAllister <mmcallis@...hat.com>
To: oss-security@...ts.openwall.com
Subject: temporary file issue in flite

As reported to the linux-distros mailing list:

Florian Weimer of the Red Hat Product Security Team discovered a
temporary file handling flaw in flite, a speech synthesis engine
(text-to-speech). A local attacker could use this flaw to perform a
symbolic link attack to modify an arbitrary file accessible to the user
running flite, or possibly obtain sensitive information as the temporary
file may contain text-to-speech output (screen contents). (CVE-2014-0027)

The issue is here:

src/audio/auserver.c contains:

static int play_wave_from_socket(snd_header *header,int audiostream)
{

fff = cst_fopen("/tmp/awb.wav",CST_OPEN_WRITE|CST_OPEN_BINARY);

n = audio_write(audio_device,shorts,q);
cst_fwrite(fff,shorts,2,q);

As this is debugging functionality and never read by flite, the fix is 
just to ifdef the lines out...

A patch is available from 
https://bugzilla.redhat.com/show_bug.cgi?id=1048678

Cheers,

--
Murray McAllister / Red Hat Security Response Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ