Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <52CEABC5.3020803@redhat.com>
Date: Fri, 10 Jan 2014 01:01:41 +1100
From: Murray McAllister <mmcallis@...hat.com>
To: oss-security@...ts.openwall.com
Subject: temporary file issue in flite

As reported to the linux-distros mailing list:

Florian Weimer of the Red Hat Product Security Team discovered a
temporary file handling flaw in flite, a speech synthesis engine
(text-to-speech). A local attacker could use this flaw to perform a
symbolic link attack to modify an arbitrary file accessible to the user
running flite, or possibly obtain sensitive information as the temporary
file may contain text-to-speech output (screen contents). (CVE-2014-0027)

The issue is here:

src/audio/auserver.c contains:

static int play_wave_from_socket(snd_header *header,int audiostream)
{
…
fff = cst_fopen("/tmp/awb.wav",CST_OPEN_WRITE|CST_OPEN_BINARY);
…
n = audio_write(audio_device,shorts,q);
cst_fwrite(fff,shorts,2,q);

As this is debugging functionality and never read by flite, the fix is 
just to ifdef the lines out...

A patch is available from 
https://bugzilla.redhat.com/show_bug.cgi?id=1048678

Cheers,

--
Murray McAllister / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.