oss-sec mailing list archives
temporary file issue in flite
From: Murray McAllister <mmcallis () redhat com>
Date: Fri, 10 Jan 2014 01:01:41 +1100
As reported to the linux-distros mailing list: Florian Weimer of the Red Hat Product Security Team discovered a temporary file handling flaw in flite, a speech synthesis engine (text-to-speech). A local attacker could use this flaw to perform a symbolic link attack to modify an arbitrary file accessible to the user running flite, or possibly obtain sensitive information as the temporary file may contain text-to-speech output (screen contents). (CVE-2014-0027) The issue is here: src/audio/auserver.c contains: static int play_wave_from_socket(snd_header *header,int audiostream) { … fff = cst_fopen("/tmp/awb.wav",CST_OPEN_WRITE|CST_OPEN_BINARY); … n = audio_write(audio_device,shorts,q); cst_fwrite(fff,shorts,2,q);As this is debugging functionality and never read by flite, the fix is just to ifdef the lines out...
A patch is available from https://bugzilla.redhat.com/show_bug.cgi?id=1048678
Cheers, -- Murray McAllister / Red Hat Security Response Team
Current thread:
- temporary file issue in flite Murray McAllister (Jan 09)