498020 – (CVE-2014-0027) <app-accessibility/flite-{-1.2-r2 ,1.3-r1}: temporary file issue (CVE-2014-0027)

Bug 498020 (CVE-2014-0027) - <app-accessibility/flite-{-1.2-r2 ,1.3-r1}: temporary file issue (CVE-2014-0027)

Summary: <app-accessibility/flite-{-1.2-r2 ,1.3-r1}: temporary file issue (CVE-2014-0027)

Status:	RESOLVED FIXED

Alias:	CVE-2014-0027

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	http://www.openwall.com/lists/oss-sec...
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:	510260 510324
Blocks:
	Show dependency tree

Reported:	2014-01-13 17:35 UTC by Agostino Sarubbo
Modified:	2015-02-22 13:38 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2014-01-13 17:35:17 UTC

From ${URL} :

As reported to the linux-distros mailing list:

Florian Weimer of the Red Hat Product Security Team discovered a
temporary file handling flaw in flite, a speech synthesis engine
(text-to-speech). A local attacker could use this flaw to perform a
symbolic link attack to modify an arbitrary file accessible to the user
running flite, or possibly obtain sensitive information as the temporary
file may contain text-to-speech output (screen contents). (CVE-2014-0027)

The issue is here:

src/audio/auserver.c contains:

static int play_wave_from_socket(snd_header *header,int audiostream)
{

fff = cst_fopen("/tmp/awb.wav",CST_OPEN_WRITE|CST_OPEN_BINARY);

n = audio_write(audio_device,shorts,q);
cst_fwrite(fff,shorts,2,q);

As this is debugging functionality and never read by flite, the fix is 
just to ifdef the lines out...

A patch is available from 
https://bugzilla.redhat.com/show_bug.cgi?id=1048678



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Chris Brannon (RETIRED) gentoo-dev

2014-02-12 21:22:19 UTC

Applied.  Bumped to 1.2-r2, 1.3-r1, and 1.4-r3.
1.2-r1 and 1.3 were stable.
I wanted to dump the 1.2 series, but it seems there may be issues with 1.3
and 1.4 on ppc.
Sorry for taking so long.

Comment 2 Chris Brannon (RETIRED) gentoo-dev

2014-05-14 16:44:45 UTC

Related stable requests: 510260, 510324.

Comment 3 Yury German Gentoo Infrastructure

2014-05-14 18:56:13 UTC

Two separate stable requests:

app-accessibility/flite-1.2-r2 stable request  = 510324
app-accessibility/flite-1.3-r1 = 510260

In the future it might be simpler if we just call for stabilization as part of the security request.

Comment 4 GLSAMaker/CVETool Bot gentoo-dev

2014-07-20 20:59:53 UTC

CVE-2014-0027 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0027):
  The play_wave_from_socket function in audio/auserver.c in Flite 1.4 allows
  local users to modify arbitrary files via a symlink attack on /tmp/awb.wav. 
  NOTE: some of these details are obtained from third party information.

Comment 5 Chris Brannon (RETIRED) gentoo-dev

2014-11-23 19:44:13 UTC

I removed all the old versions of flite from the tree.
There's no longer a reason to keep them around, since the 1.4 series
is stable.  So this can be closed I think.

Comment 6 Yury German Gentoo Infrastructure

2015-02-22 13:35:09 UTC

Arches and Maintainer(s), Thank you for your work.

Security Please Vote.

First Vote: No

Comment 7 Kristian Fiskerstrand (RETIRED) gentoo-dev

2015-02-22 13:38:18 UTC

GLSA Vote: No