Bug 12617 - flite new security issue CVE-2014-0027
: flite new security issue CVE-2014-0027
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/584265/
: MGA3TOO has_procedure advisory mga3-3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-02-05 19:50 CET by David Walser
Modified: 2014-02-10 21:31 CET (History)
5 users (show)

See Also:
Source RPM: flite-1.4-4.mga4.src.rpm
CVE:


Attachments

Description David Walser 2014-02-05 19:50:47 CET
Fedora has issued an advisory on January 10:
https://lists.fedoraproject.org/pipermail/package-announce/2014-February/127776.html

Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated flite packages fix security vulnerability:

The play_wave_from_socket function in audio/auserver.c in Flite 1.4 allows
local users to modify arbitrary files via a symlink attack on /tmp/awb.wav
(CVE-2014-0027).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0027
https://lists.fedoraproject.org/pipermail/package-announce/2014-February/127776.html
========================

Updated packages in core/updates_testing:
========================
flite-1.4-2.1.mga3
libflite-devel-1.4-2.1.mga3
flite-1.4-4.1.mga4
libflite1-1.4-4.1.mga4
libflite-devel-1.4-4.1.mga4

from SRPMS:
flite-1.4-2.1.mga3.src.rpm
flite-1.4-4.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 Lewis Smith 2014-02-10 14:30:16 CET
flite has no man entry. The equivalent is at
 /usr/share/doc/flite/html/flite_6.html#flite-binary
but it does not behave exactly as one might expect.
Given a working sound system, is is easy to test very basically from the command line:
 flite -t word
 flite -t "word"
will say 'word'.
 flite "a string of words"
 flite -t "a string of words"
will *say* the string.
If <file> is a simple text file of real words:
 flite <file>
 flite -f <file>
will *say* the text in the file.

 flite a string of words
is not helpful, it tries to open file 'a'.
 flite -t a string of words
is useless, does nothing. It should say the string.
 flite "word"
is not helpful, it tries to open file 'word'.
Comment 2 Lewis Smith 2014-02-10 14:44:35 CET
Testing on Mag4 64-bit real hardware.
Installed base flite, ran simple tests OK.
Updated from Testing repositories:
 lib64flite1-1.4-4.1.mga4
 flite-1.4-4.1.mga4
Simple tests still OK.
If this is deemed adequate, can the bug be Whiteboarded MGA3-64-OK ?
Comment 3 Lewis Smith 2014-02-10 14:47:33 CET
(In reply to Lewis Smith from comment #2)
> If this is deemed adequate, can the bug be Whiteboarded MGA3-64-OK ?
Sorry. MGA4-64-OK
Comment 4 Samuel Verschelde 2014-02-10 14:49:22 CET
yes, please proceed
Comment 5 claire robinson 2014-02-10 17:32:25 CET
Well done Lewis.

Testing complete mga3 32
Comment 6 claire robinson 2014-02-10 19:39:41 CET
Testing complete mga3 64
Comment 7 claire robinson 2014-02-10 19:43:35 CET
Advisory uploaded.

Just needs testing mga4 32 and can then be validated.
Comment 8 Rémi Verschelde 2014-02-10 19:53:13 CET
I'm on mga4 32.
Comment 9 Rémi Verschelde 2014-02-10 20:05:16 CET
Testing complete mga4 i586. I could not find instructions on how to reproduce the security issue (though thanks for your general purpose procedure Lewis!), but since the patch is pretty harmless[1], we can validate.

BTW Lewis, whenever a program has no man page, you can always try "<program> --help". Here "flite --help" provides some info.

[1] https://bugzilla.redhat.com/attachment.cgi?id=846118

--

Advisory has already been upload. Could a sysadmin push the update from core/updates_testing to core/updates, both for Mageia 3 and Mageia 4?
Comment 10 Thomas Backlund 2014-02-10 21:31:35 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0047.html

Note You need to log in before you can comment on or make changes to this bug.