Bug 12617 - flite new security issue CVE-2014-0027
Summary: flite new security issue CVE-2014-0027
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/584265/
Whiteboard: MGA3TOO has_procedure advisory mga3-3...
Keywords: validated_update
Depends on:
Reported: 2014-02-05 19:50 CET by David Walser
Modified: 2014-02-10 21:31 CET (History)
5 users (show)

See Also:
Source RPM: flite-1.4-4.mga4.src.rpm
Status comment:


Description David Walser 2014-02-05 19:50:47 CET
Fedora has issued an advisory on January 10:

Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.


Updated flite packages fix security vulnerability:

The play_wave_from_socket function in audio/auserver.c in Flite 1.4 allows
local users to modify arbitrary files via a symlink attack on /tmp/awb.wav


Updated packages in core/updates_testing:

from SRPMS:


Steps to Reproduce:
David Walser 2014-02-05 19:50:53 CET

Whiteboard: (none) => MGA3TOO

Comment 1 Lewis Smith 2014-02-10 14:30:16 CET
flite has no man entry. The equivalent is at
but it does not behave exactly as one might expect.
Given a working sound system, is is easy to test very basically from the command line:
 flite -t word
 flite -t "word"
will say 'word'.
 flite "a string of words"
 flite -t "a string of words"
will *say* the string.
If <file> is a simple text file of real words:
 flite <file>
 flite -f <file>
will *say* the text in the file.

 flite a string of words
is not helpful, it tries to open file 'a'.
 flite -t a string of words
is useless, does nothing. It should say the string.
 flite "word"
is not helpful, it tries to open file 'word'.

CC: (none) => lewyssmith

Samuel Verschelde 2014-02-10 14:34:26 CET

CC: (none) => stormi
Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 2 Lewis Smith 2014-02-10 14:44:35 CET
Testing on Mag4 64-bit real hardware.
Installed base flite, ran simple tests OK.
Updated from Testing repositories:
Simple tests still OK.
If this is deemed adequate, can the bug be Whiteboarded MGA3-64-OK ?
Comment 3 Lewis Smith 2014-02-10 14:47:33 CET
(In reply to Lewis Smith from comment #2)
> If this is deemed adequate, can the bug be Whiteboarded MGA3-64-OK ?
Sorry. MGA4-64-OK
Comment 4 Samuel Verschelde 2014-02-10 14:49:22 CET
yes, please proceed
Comment 5 claire robinson 2014-02-10 17:32:25 CET
Well done Lewis.

Testing complete mga3 32

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga3-32-ok mga4-64-ok

Comment 6 claire robinson 2014-02-10 19:39:41 CET
Testing complete mga3 64

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok

Comment 7 claire robinson 2014-02-10 19:43:35 CET
Advisory uploaded.

Just needs testing mga4 32 and can then be validated.

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-64-ok

Comment 8 Rémi Verschelde 2014-02-10 19:53:13 CET
I'm on mga4 32.

CC: (none) => remi

Comment 9 Rémi Verschelde 2014-02-10 20:05:16 CET
Testing complete mga4 i586. I could not find instructions on how to reproduce the security issue (though thanks for your general purpose procedure Lewis!), but since the patch is pretty harmless[1], we can validate.

BTW Lewis, whenever a program has no man page, you can always try "<program> --help". Here "flite --help" provides some info.

[1] https://bugzilla.redhat.com/attachment.cgi?id=846118


Advisory has already been upload. Could a sysadmin push the update from core/updates_testing to core/updates, both for Mageia 3 and Mageia 4?

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 10 Thomas Backlund 2014-02-10 21:31:35 CET
Update pushed:

CC: (none) => tmb
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.