This package uses a socket located at /tmp/es.socket, both by default and as a fallback (if no socket is defined in the config file). Since /tmp is writeable by everyone, any member of the speech group can change /tmp/es.socket to a symlink, pointing to a file of his choice. The next time the eflite service is started, the init script performs,
chown root:speech /tmp/es.socket
chmod 660 /tmp/es.socket
That changes the ownership of the *target* of the symlink to root:speech and makes it group-writeable. Thus the speech group attains root.
A similar trick works with hard links.
Before the first time the service is started (i.e. before the socket owned by root:speech exists), any user can create the link -- not just a member of the speech group. To reproduce, install eflite, and make /tmp/es.socket a symlink pointing somewhere important. Start eflite, and watch the target's ownership change.
@ Maintainer(s): Please tell us how you want to proceed here. Will you look into this or should security take actions?
I came up with a fix for this, but the package is currently unusable because of bug #593274.
Unrestricting and reassigning to security@ per bug #705894
unrestricting per bug 705894
What was your fix for this?
I still wasn't able to build eflite to test:
checking for x86_64-pc-linux-gnu-gcc option to accept ISO C89... none needed
checking for connect in -lsocket... no
checking for library containing pthread_create... -lpthread
./configure: 410: test: Illegal number: then
./configure: 2968: ./configure: Syntax error: Bad fd number
but I still have my temp directory from when I worked on this bug.
The first thing I would try is to see if eflite can be started as a non-root user/group. If it runs as a dedicated user, then you can create /run/eflite as eflite:eflite (755) in the service script with checkpath and the daemon can create the socket itself (660) with no chown/chmod or init script involvement.
If eflite has to run as root, then you should create /run/eflite as root:root with checkpath, and then be careful when you create and checkpath the socket to the proper group. So long as /run/eflite is root:root, its contents should be relatively safe.
Either way, you should never use a socket under /tmp. Just fix the path to /run/eflite/something. Even making it configurable is more trouble than it's worth. If it works out of the box, nobody will want to mess with it.
eflite might be better dropped, the last version is from 2006-01-18. i don't see any packages depending on it. any objections?
(In reply to Miroslav Šulc from comment #7)
> eflite might be better dropped, the last version is from 2006-01-18. i don't
> see any packages depending on it. any objections?
Yep, I recall this being one of the first packages I recommended treecleaning (on irc). As I recall William meant to look into it but I guess never did or had no luck. CCing treecleaner.