From ${URL} : As reported to the linux-distros mailing list: Florian Weimer of the Red Hat Product Security Team discovered a temporary file handling flaw in flite, a speech synthesis engine (text-to-speech). A local attacker could use this flaw to perform a symbolic link attack to modify an arbitrary file accessible to the user running flite, or possibly obtain sensitive information as the temporary file may contain text-to-speech output (screen contents). (CVE-2014-0027) The issue is here: src/audio/auserver.c contains: static int play_wave_from_socket(snd_header *header,int audiostream) { fff = cst_fopen("/tmp/awb.wav",CST_OPEN_WRITE|CST_OPEN_BINARY); n = audio_write(audio_device,shorts,q); cst_fwrite(fff,shorts,2,q); As this is debugging functionality and never read by flite, the fix is just to ifdef the lines out... A patch is available from https://bugzilla.redhat.com/show_bug.cgi?id=1048678 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Applied. Bumped to 1.2-r2, 1.3-r1, and 1.4-r3. 1.2-r1 and 1.3 were stable. I wanted to dump the 1.2 series, but it seems there may be issues with 1.3 and 1.4 on ppc. Sorry for taking so long.
Related stable requests: 510260, 510324.
Two separate stable requests: app-accessibility/flite-1.2-r2 stable request = 510324 app-accessibility/flite-1.3-r1 = 510260 In the future it might be simpler if we just call for stabilization as part of the security request.
CVE-2014-0027 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0027): The play_wave_from_socket function in audio/auserver.c in Flite 1.4 allows local users to modify arbitrary files via a symlink attack on /tmp/awb.wav. NOTE: some of these details are obtained from third party information.
I removed all the old versions of flite from the tree. There's no longer a reason to keep them around, since the 1.4 series is stable. So this can be closed I think.
Arches and Maintainer(s), Thank you for your work. Security Please Vote. First Vote: No
GLSA Vote: No