Home page logo

oss-sec logo oss-sec mailing list archives

temporary file issue in flite
From: Murray McAllister <mmcallis () redhat com>
Date: Fri, 10 Jan 2014 01:01:41 +1100

As reported to the linux-distros mailing list:

Florian Weimer of the Red Hat Product Security Team discovered a
temporary file handling flaw in flite, a speech synthesis engine
(text-to-speech). A local attacker could use this flaw to perform a
symbolic link attack to modify an arbitrary file accessible to the user
running flite, or possibly obtain sensitive information as the temporary
file may contain text-to-speech output (screen contents). (CVE-2014-0027)

The issue is here:

src/audio/auserver.c contains:

static int play_wave_from_socket(snd_header *header,int audiostream)
fff = cst_fopen("/tmp/awb.wav",CST_OPEN_WRITE|CST_OPEN_BINARY);
n = audio_write(audio_device,shorts,q);

As this is debugging functionality and never read by flite, the fix is just to ifdef the lines out...

A patch is available from https://bugzilla.redhat.com/show_bug.cgi?id=1048678


Murray McAllister / Red Hat Security Response Team

  By Date           By Thread  

Current thread:
  • temporary file issue in flite Murray McAllister (Jan 09)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]