Festival as it is currently set up by portage when installed runs under the root user. If a festival daemon setup is used, the default server password is nil, i.e. absent. When the daemon is running, anyone who can connect to the festival daemon at the normal TCP port can issue the '(system "<whatever>")' command, which will execute with root privileges. The default configuration denies connection from anywhere but localhost, but local users can connect and execute commands from root regardless. Reproducible: Always Steps to Reproduce: Using the festival_client.pl provided in /usr/share/doc/festival-*/ connect to your localhost festival daemon with a non root user, and enter the command (system "whoami > /tmp/amiroot") then exit the client and cat /tmp/amiroot There's several approaches to fixing this, but giving the daemon it's own user account seems the best approach.
thanks for your report. CCing maintainer
adding herds please comment/fix, since jeeves has not seen williamh for 20days
Herds please advise and provide an updated ebuild as necessary.
Herds please advise.
Herds/Maintainer please advise
hurry up or mask
Created attachment 121219 [details, diff] festival-bug-170477.diff How about something like this? Run it as it's own user and set it's shell to /bin/false. solar@here $ echo '(system "whoami > /tmp/amiroot")' | busybox nc localhost 1314 LP nil ft_StUfF_keyOK solar@here $ cat /tmp/amiroot festival I don't know if the 'system' command can/should/could be disabled all together or if there is a better alternative but this meets the initial posters suggestion.
(In reply to comment #9) > I don't know if the 'system' command can/should/could be disabled all together > or if there is a better alternative but this meets the initial > posters suggestion. It shouldn't be disabled altogether because festival extensively uses it internally (for example, it is required to use mbrola voices). Also, I think I've seen several code examples which involve using it from the client to play the speech festival generates, so you probably can't prevent the client from using it without breaking stuff. But it definitely doesn't have to be root. :) Adding the festival user to the audio group in the ebuild would be a good idea, by the way.
(In reply to comment #9) > Created an attachment (id=121219) [edit] > festival-bug-170477.diff > > How about something like this? Run it as it's own user and set it's shell to > /bin/false. It still doesn't stop one for wgetting, building, running shellcode which opens backdoor to experiment with local exploits to gain root privileges..
> It still doesn't stop one for wgetting, building, running shellcode which opens > backdoor to experiment with local exploits to gain root privileges.. Considering that connections are only allowed from localhost in the default configuration, you have to be a local user already to do that, or am I missing something?
(In reply to comment #10) > Adding the festival user to the audio group in the ebuild would be a good idea, > by the way. Can you please attach an updated diff. cvs -d :pserver:anonymous@anoncvs.gentoo.org:/var/cvsroot \ co gentoo-x86/app-accessibility/festival ... cvs diff -u > foo.diff
> Can you please attach an updated diff. If I knew enough portage, I'd post a diff with that instead of just a bug report in the first place. :)
Oh, almost forgot, just noticed this. The server.scm configuration file that comes with the ebuild actually contains: ; Server access list (hosts) (set! server_access_list '("[^.]+" "127.0.0.1" "localhost.*" "192.168.*")) If 192.168.* is allowed, and you can (system "<whatever>") from a different machine, the argument about using festival to try local exploits still stands. Maybe adding a warning to set a server password if you plan to connect to festival remotely is also in order.
(In reply to comment #15) > Oh, almost forgot, just noticed this. The server.scm configuration file that > comes with the ebuild actually contains: > > ; Server access list (hosts) > (set! server_access_list '("[^.]+" "127.0.0.1" "localhost.*" "192.168.*")) > Question: Would that regexp currently allow remote exec of the "system" command with a domain such as localhost.is.a.myth.gentoo.org ?
Created attachment 121309 [details, diff] festival-bug-170477.diff
That patch sounds good to me despite it is only a poor workaround. Sound herd: someone wants to commit it into the tree or can we commit it ourselves?
I am looking at commiting this tonight or tomorrow. Thanks.
I have found one issue with this patch so far. The festival server can create a log, and by default that goes to /var/log/festival.log. That does not work if festival is running as a user other than root since /var/log is read-only to any other user. Any suggestions?
(In reply to comment #20) > I have found one issue with this patch so far. The festival server can create > a log, and by default that goes to /var/log/festival.log. That does not work > if festival is running as a user other than root since /var/log is read-only to > any other user. Any suggestions? Things like apache, clamav, lighttpd, mysql, snort and squid all use a subdir in /var/log/ that is owned by that user. So you want /var/log/festival/festival.log
Created attachment 121494 [details] festival-1.95_beta-r3.ebuild Fixes /var/log/festival/ and enewuser. Big cleanup. Not using a diff because it would be larger than the file.
Created attachment 121496 [details] festival.rc Runs as "festival" user.
Created attachment 121497 [details] server.scm Sets logfile location.
The fix for this has been committed to the tree. I'm not sure whether I can close this or if I should wait for the security team to check it. Please advise.
Thx William, now it's time for arches. Arches please test and mark stable. Target keywords are: festival-1.95_beta-r4.ebuild:KEYWORDS="alpha amd64 hppa ia64 ppc ppc64 sparc x86"
app-accessibility/festival-1.95_beta-r4 USE="X asterisk -esd -mbrola" 1. emerges on x86 2. passes collision test 3. app-accessibility/gnome-speech-0.4.11 emerges with it 4. works Portage 2.1.2.7 (default-linux/x86/2007.0/desktop, gcc-4.1.2, glibc-2.5-r3, 2.6.20.12 i686) ================================================================= System uname: 2.6.20.12 i686 Genuine Intel(R) CPU T2300 @ 1.66GHz Gentoo Base System release 1.12.9 Timestamp of tree: Sat, 09 Jun 2007 09:00:01 +0000 dev-java/java-config: 1.3.7, 2.0.32 dev-lang/python: 2.3.5-r3, 2.4.4-r4 dev-python/pycrypto: 2.0.1-r5 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--nospinner" FEATURES="collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/" LINGUAS="en de en_GB de_CH" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X a52 aac acl acpi alsa apache2 asf avahi berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dri dts dvd dvdr dvdread eds emboss encode evo fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal iconv ipv6 isdnlog java jpeg kde kdeenablefinal kerberos ldap libg++ mad midi mikmod mmx mono mp3 mpeg mudflap ncurses nls nptl nptlonly ogg opengl openmp oss pam pcre pdf perl png pppd python qt3 qt3support qt4 quicktime readline reflection rtsp ruby samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd test tetex theora threads tiff truetype truetype-fonts type1-fonts unicode vcd vorbis wifi win32codecs wxwindows x264 x86 xine xml xorg xprint xv xvid zlib" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LINGUAS="en de en_GB de_CH" USERLAND="GNU" VIDEO_CARDS="i810 fbdev vesa" Unset: CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
ppc stable
Stable for HPPA.
ppc64 stable
Testing festival-1.95_beta-r4 1. Emerges fine 2. Passes collision 3. Works fine 4. no security hole with test case $ emerge --info Portage 2.1.2.7 (default-linux/alpha/2007.0, gcc-4.1.2, glibc-2.5-r2, 2.6.21-gentoo-r1 alpha) ================================================================= System uname: 2.6.21-gentoo-r1 alpha EV56 Gentoo Base System release 1.12.9 Timestamp of tree: Sat, 09 Jun 2007 14:20:01 +0000 distcc 2.18.3 alpha-unknown-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] ccache version 2.4 [enabled] dev-lang/python: 2.4.4-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.4-r7 sys-apps/sandbox: 1.2.18.1 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.17.50.0.16 sys-devel/gcc-config: 1.3.15-r1 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="alpha" AUTOCLEAN="yes" CBUILD="alpha-unknown-linux-gnu" CFLAGS="-mieee -pipe -O2 -mcpu=ev56" CHOST="alpha-unknown-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb /var/bind" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/splash /etc/terminfo" CXXFLAGS="-mieee -pipe -O2 -mcpu=ev56" DISTDIR="/usr/portage/distfiles" FEATURES="ccache collision-protect distcc distlocks metadata-transfer parallel-fetch sandbox sfperms strict test" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LINGUAS="en" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage/local/overlay" SYNC="rsync://eldest/gentoo-portage" USE="X acl alpha alsa berkdb bitmap-fonts bzip2 cli cracklib crypt cups curl dri fortran gdbm gpm iconv ipv6 isdnlog ldap libg++ logrotate midi mudflap ncurses nls nptl nptlonly openmp pam pcre perl postfix pppd python readline reflection session spl sqlite ssl startup-notification tcpd test truetype-fonts type1-fonts unicode xorg zlib" ALSA_CARDS="au8810" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="evdev keyboard mouse joystick" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" USERLAND="GNU" VIDEO_CARDS="vga s3virge nv cirrus" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
stable on alpha. Brian++
Marked stable on amd64.
x86 stable, thanks Markus.
sparc stable.
ia64 is there something wrong with stabilization?
ia64 is not security supported :) Plus i can't test it
err, indeed :)
it's GLSA 200707-10, thanks