temporary file issue in flite

[Murray McAllister <mmcallis () redhat com>]

As reported to the linux-distros mailing list:

Florian Weimer of the Red Hat Product Security Team discovered a
temporary file handling flaw in flite, a speech synthesis engine
(text-to-speech). A local attacker could use this flaw to perform a
symbolic link attack to modify an arbitrary file accessible to the user
running flite, or possibly obtain sensitive information as the temporary
file may contain text-to-speech output (screen contents). (CVE-2014-0027)

The issue is here:

src/audio/auserver.c contains:

static int play_wave_from_socket(snd_header *header,int audiostream)
{
…
fff = cst_fopen("/tmp/awb.wav",CST_OPEN_WRITE|CST_OPEN_BINARY);
…
n = audio_write(audio_device,shorts,q);
cst_fwrite(fff,shorts,2,q);

As this is debugging functionality and never read by flite, the fix is 
just to ifdef the lines out...

A patch is available from 
https://bugzilla.redhat.com/show_bug.cgi?id=1048678

Cheers,

--
Murray McAllister / Red Hat Security Response Team