This package uses a socket located at /tmp/es.socket, both by default and as a fallback (if no socket is defined in the config file). Since /tmp is writeable by everyone, any member of the speech group can change /tmp/es.socket to a symlink, pointing to a file of his choice. The next time the eflite service is started, the init script performs, chown root:speech /tmp/es.socket chmod 660 /tmp/es.socket That changes the ownership of the *target* of the symlink to root:speech and makes it group-writeable. Thus the speech group attains root. A similar trick works with hard links. Before the first time the service is started (i.e. before the socket owned by root:speech exists), any user can create the link -- not just a member of the speech group. To reproduce, install eflite, and make /tmp/es.socket a symlink pointing somewhere important. Start eflite, and watch the target's ownership change.
@ Maintainer(s): Please tell us how you want to proceed here. Will you look into this or should security take actions?
I came up with a fix for this, but the package is currently unusable because of bug #593274.
Unrestricting and reassigning to security@ per bug #705894
unrestricting per bug 705894
@mjo: What was your fix for this? Thanks, William
I still wasn't able to build eflite to test: checking for x86_64-pc-linux-gnu-gcc option to accept ISO C89... none needed checking for connect in -lsocket... no checking for library containing pthread_create... -lpthread ./configure: 410: test: Illegal number: then ./configure: 2968: ./configure: Syntax error: Bad fd number but I still have my temp directory from when I worked on this bug. The first thing I would try is to see if eflite can be started as a non-root user/group. If it runs as a dedicated user, then you can create /run/eflite as eflite:eflite (755) in the service script with checkpath and the daemon can create the socket itself (660) with no chown/chmod or init script involvement. If eflite has to run as root, then you should create /run/eflite as root:root with checkpath, and then be careful when you create and checkpath the socket to the proper group. So long as /run/eflite is root:root, its contents should be relatively safe. Either way, you should never use a socket under /tmp. Just fix the path to /run/eflite/something. Even making it configurable is more trouble than it's worth. If it works out of the box, nobody will want to mess with it.
eflite might be better dropped, the last version is from 2006-01-18. i don't see any packages depending on it. any objections?
(In reply to Miroslav Šulc from comment #7) > eflite might be better dropped, the last version is from 2006-01-18. i don't > see any packages depending on it. any objections? Yep, I recall this being one of the first packages I recommended treecleaning (on irc). As I recall William meant to look into it but I guess never did or had no luck. CCing treecleaner.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7a243c770660da9349d29c50a32e51a78850cc61 commit 7a243c770660da9349d29c50a32e51a78850cc61 Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2021-07-17 22:12:23 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2021-07-17 22:22:03 +0000 package.mask: mask app-accessibility/eflite for removal Bug: https://bugs.gentoo.org/602594 Bug: https://bugs.gentoo.org/639430 Bug: https://bugs.gentoo.org/677382 Bug: https://bugs.gentoo.org/695028 Signed-off-by: William Hubbs <williamh@gentoo.org> profiles/package.mask | 6 ++++++ 1 file changed, 6 insertions(+)
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e12b34dfa139ae23d75fe123d858a632c77f6124 commit e12b34dfa139ae23d75fe123d858a632c77f6124 Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2021-08-21 00:35:53 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2021-08-21 00:41:07 +0000 profiles/package.mask: remove entry for app-accessibility/eflite Closes: https://bugs.gentoo.org/602594 Signed-off-by: William Hubbs <williamh@gentoo.org> profiles/package.mask | 6 ------ 1 file changed, 6 deletions(-) Additionally, it has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3bba7ecf807ebd89635728aa57b6d90ff957d541 commit 3bba7ecf807ebd89635728aa57b6d90ff957d541 Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2021-08-21 00:34:09 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2021-08-21 00:38:53 +0000 app-accessibility/eflite: remove package Bug: https://bugs.gentoo.org/602594 Signed-off-by: William Hubbs <williamh@gentoo.org> app-accessibility/eflite/Manifest | 1 - app-accessibility/eflite/eflite-0.4.1-r3.ebuild | 46 ---------------------- .../eflite/files/eflite-0.4.1-flite14.patch | 24 ----------- app-accessibility/eflite/files/eflite.rc | 28 ------------- app-accessibility/eflite/files/es.conf | 11 ------ app-accessibility/eflite/metadata.xml | 33 ---------------- 6 files changed, 143 deletions(-)
Time createth all things and Time destroyeth all creatures.