Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 2 Feb 2017 00:55:01 -0500
From: <cve-assign@...re.org>
To: <max@...canary.com>
CC: <cve-assign@...re.org>, <oss-security@...ts.openwall.com>
Subject: Re: CVE requests: code injection in rubygem espeak-ruby and code injection in rubygem festivaltts4r

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Two similar vulnerabilities in ruby text-to-speech libraries.

> [] 1) espeak-ruby
> 
> Rubygem espeak-ruby passes user modifiable strings directly to a shell
> command.
> 
> An attacker can execute malicious commands by modifying the strings that
> are passed as arguments to the speak, save, bytes and bytes_wav methods in
> the lib/espeak/speech.rb.
> 
> https://github.com/dejan/espeak-ruby/issues/7

Use CVE-2016-10193.


> [] 2) festivaltts4r
> 
> Rubygem festivaltts4r passes user modifiable strings directly to a shell
> command.
> 
> An attacker can execute malicious commands by modifying the strings that
> are passed as arguments to the to_speech and and to_mp3 methods in
> lib/festivaltts4r/festival4r.rb.
> 
> https://github.com/spejman/festivaltts4r/issues/1

Use CVE-2016-10194.


- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYksb0AAoJEHb/MwWLVhi2mkEQALLyH6VlcdSpoQJaTgu9Rb3m
7E5nG6xJpQOgaSGnG7app8LBgGkXDxpO8O02tqHpjvriq+WrstxgepvohYEh71z7
AgahTWdBRThSx8hRFxQE0ixj0RuIa0895ic82H0c7uD6RESGkfDJf+YgYis4wvoF
APYmog4LJ8AbqN0khPh7ug0w/jpqV/RQAtddcC5PXqbgcl7K+RjFpSWHL4R9feS/
aq3tBEJ7grXfJ+juUE1OvuXDRLO9RJbWMHeVHHghvwL37gUJ13sUtjlvPBTztYeJ
h9VQ7WH67TSYI+OqsA09U0SzG9lagVerffgPXU3Fe62DeV3JQouto0KqraUpDmZa
+Ucz3orTsJ/QKRIlxJimC3/RDwWz/WhJv0SdjdbqPaCehXCiGWs5QbakVYa+R1H6
+UNmHA5FlxB/zCiAltgviL+OdaxNUCT1dhSuXW7JnFmrujQ4PdknYy0UVV+KWwxp
OdRXJVkbLDj53FxXi1MIq1P3qQDr74U60+eJHE0hbg7UYGqED5DQ5zrgpZEv97kd
ldr8XnS3zgxOqsNMGxvGKUIKjLxEGqqHRPWzYJFtk946WC49upbkmsezGRx7F0Hr
KxYXqnjLm28oBCI4q8jA8KtgapnxnbMjw1SWQvOOQnltmbwRbEEAVa53B6dCoCGT
03ZXu+SVo5UqQbGCBmcM
=np+3
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.