Bug 12617

Summary: flite new security issue CVE-2014-0027
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: lewyssmith, rverschelde, stormi-mageia, sysadmin-bugs, tmb
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/584265/
Whiteboard: MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Source RPM: flite-1.4-4.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-02-05 19:50:47 CET 
Fedora has issued an advisory on January 10:
https://lists.fedoraproject.org/pipermail/package-announce/2014-February/127776.html

Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated flite packages fix security vulnerability:

The play_wave_from_socket function in audio/auserver.c in Flite 1.4 allows
local users to modify arbitrary files via a symlink attack on /tmp/awb.wav
(CVE-2014-0027).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0027
https://lists.fedoraproject.org/pipermail/package-announce/2014-February/127776.html
========================

Updated packages in core/updates_testing:
========================
flite-1.4-2.1.mga3
libflite-devel-1.4-2.1.mga3
flite-1.4-4.1.mga4
libflite1-1.4-4.1.mga4
libflite-devel-1.4-4.1.mga4

from SRPMS:
flite-1.4-2.1.mga3.src.rpm
flite-1.4-4.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-02-05 19:50:53 CET

Whiteboard: (none) => MGA3TOO

Comment 1 Lewis Smith 2014-02-10 14:30:16 CET 
flite has no man entry. The equivalent is at
 /usr/share/doc/flite/html/flite_6.html#flite-binary
but it does not behave exactly as one might expect.
Given a working sound system, is is easy to test very basically from the command line:
 flite -t word
 flite -t "word"
will say 'word'.
 flite "a string of words"
 flite -t "a string of words"
will *say* the string.
If <file> is a simple text file of real words:
 flite <file>
 flite -f <file>
will *say* the text in the file.

 flite a string of words
is not helpful, it tries to open file 'a'.
 flite -t a string of words
is useless, does nothing. It should say the string.
 flite "word"
is not helpful, it tries to open file 'word'.

CC: (none) => lewyssmith

Samuel Verschelde 2014-02-10 14:34:26 CET

CC: (none) => stormi
Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 2 Lewis Smith 2014-02-10 14:44:35 CET 
Testing on Mag4 64-bit real hardware.
Installed base flite, ran simple tests OK.
Updated from Testing repositories:
 lib64flite1-1.4-4.1.mga4
 flite-1.4-4.1.mga4
Simple tests still OK.
If this is deemed adequate, can the bug be Whiteboarded MGA3-64-OK ?
Comment 3 Lewis Smith 2014-02-10 14:47:33 CET 
(In reply to Lewis Smith from comment #2)
> If this is deemed adequate, can the bug be Whiteboarded MGA3-64-OK ?
Sorry. MGA4-64-OK
Comment 4 Samuel Verschelde 2014-02-10 14:49:22 CET 
yes, please proceed
Comment 5 claire robinson 2014-02-10 17:32:25 CET 
Well done Lewis.

Testing complete mga3 32

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga3-32-ok mga4-64-ok

Comment 6 claire robinson 2014-02-10 19:39:41 CET 
Testing complete mga3 64

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok

Comment 7 claire robinson 2014-02-10 19:43:35 CET 
Advisory uploaded.

Just needs testing mga4 32 and can then be validated.

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-64-ok

Comment 8 Rémi Verschelde 2014-02-10 19:53:13 CET 
I'm on mga4 32.

CC: (none) => remi

Comment 9 Rémi Verschelde 2014-02-10 20:05:16 CET 
Testing complete mga4 i586. I could not find instructions on how to reproduce the security issue (though thanks for your general purpose procedure Lewis!), but since the patch is pretty harmless[1], we can validate.

BTW Lewis, whenever a program has no man page, you can always try "<program> --help". Here "flite --help" provides some info.

[1] https://bugzilla.redhat.com/attachment.cgi?id=846118

--

Advisory has already been upload. Could a sysadmin push the update from core/updates_testing to core/updates, both for Mageia 3 and Mageia 4?

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 10 Thomas Backlund 2014-02-10 21:31:35 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0047.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED