CVE-2007-4074: priviledge escalation in festival

Debian Bug report logs - #435445
CVE-2007-4074: priviledge escalation in festival

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2007-4074: priviledge escalation in festival

Date: Tue, 31 Jul 2007 21:26:46 +0200

Package: festival
Severity: normal
Tags: security


It seems festival in daemon mode allows any local user to execute
arbitrary commands as nobody:audio using the system() command. This
is problematic because

- there could be other daemons running as user nobody. These could
  be influenced/killed by any local user.
- it could be used by a user not in group audio to access a microphone

Message #10 received at 435445@bugs.debian.org (full text, mbox, reply):

From: "Kartik Mistry" <kartik.mistry@gmail.com>

To: 435445@bugs.debian.org

Cc: team@security.debian.org, control@bugs.debian.org

Subject: [Patch] CVE-2007-4074: priviledge escalation in festival

Date: Wed, 1 Aug 2007 15:38:39 +0530

[Message part 1 (text/plain, inline)]

tag 435445 patch
thanks

Hi,

The possible patch is attached.

Taken from Gentoo,
http://bugs.gentoo.org/attachment.cgi?id=121309

Can I fix this to unstable now?

-- 
 --------------------------------------------------------
 Kartik Mistry  | Eng: kartikmistry.org/blog
 0xD1028C8D | Guj: kartikm.wordpress.com
 --------------------------------------------------------

[435445-festival-CVE-2007-4074.diff (text/x-diff, attachment)]

Message #17 received at 435445@bugs.debian.org (full text, mbox, reply):

From: Steve Kemp <skx@debian.org>

To: Kartik Mistry <kartik.mistry@gmail.com>

Cc: 435445@bugs.debian.org, team@security.debian.org

Subject: Re: [Patch] CVE-2007-4074: priviledge escalation in festival

Date: Wed, 1 Aug 2007 11:33:54 +0100

On Wed Aug 01, 2007 at 15:38:39 +0530, Kartik Mistry wrote:

> The possible patch is attached.
> Taken from Gentoo,
> http://bugs.gentoo.org/attachment.cgi?id=121309

  That'll need fixing up to call 'adduser' instead of the enewuser
 in the postinst script.

> Can I fix this to unstable now?

  Sure.

  If you could send us the patch you use for sid I'll upload a fixed
 version for Etch.

Steve
-- 

Message #22 received at 435445@bugs.debian.org (full text, mbox, reply):

From: "Kartik Mistry" <kartik.mistry@gmail.com>

To: 435445@bugs.debian.org

Cc: "Steve Kemp" <skx@debian.org>, team@security.debian.org

Subject: Re: [Patch] CVE-2007-4074: priviledge escalation in festival

Date: Wed, 1 Aug 2007 23:52:30 +0530

[Message part 1 (text/plain, inline)]

On 8/1/07, Steve Kemp <skx@debian.org> wrote:
>   That'll need fixing up to call 'adduser' instead of the enewuser
>  in the postinst script.
>
>   If you could send us the patch you use for sid I'll upload a fixed
>  version for Etch.

Hi,

Another patch is attached which is adding user festival. I want that
team review it before I ping my sponsor to upload the package.

Thanks,
-- 
 --------------------------------------------------------
 Kartik Mistry  | Eng: kartikmistry.org/blog
 0xD1028C8D | Guj: kartikm.wordpress.com
 --------------------------------------------------------

[Patch4-435445-festival-CVE-2007-4074.diff (text/x-diff, attachment)]

Message #27 received at 435445@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>

To: "Kartik Mistry" <kartik.mistry@gmail.com>

Cc: 435445@bugs.debian.org, "Steve Kemp" <skx@debian.org>

Subject: Re: [Patch] CVE-2007-4074: priviledge escalation in festival

Date: Wed, 1 Aug 2007 21:39:10 +0200

First, note that on Gentoo festival used to run as root. This is why 
this was a much more severe issue there.

On Debian we have the daemon running as nobody:audio. The patch now 
seems to start the daemon as festival:festival. This is certainly an 
improvement, but I am uncertain whether this will work, because the 
daemon might need group audio to work. On the other hand, starting it 
as festival:audio would still be problematic (but might be acceptable 
if documented).

There is also the problem that it can be configured to allow non-local 
connections (and the README.Debian describes how to do this). This 
would allow remote code execution.

The cleanest solution would be to disable system(). If that is not 
possible due to the way festival works, there needs to be a big 
warning that all users who can connect to it need to be trusted.

Cheers,
Stefan

Message #32 received at 435445@bugs.debian.org (full text, mbox, reply):

From: "Kartik Mistry" <kartik.mistry@gmail.com>

To: "Stefan Fritsch" <sf@sfritsch.de>, 435445@bugs.debian.org

Cc: "Steve Kemp" <skx@debian.org>

Subject: Re: Bug#435445: [Patch] CVE-2007-4074: priviledge escalation in festival

Date: Thu, 2 Aug 2007 10:23:55 +0530

On 8/2/07, Stefan Fritsch <sf@sfritsch.de> wrote:
> First, note that on Gentoo festival used to run as root. This is why
> this was a much more severe issue there.

Yes, I notice that.

> On Debian we have the daemon running as nobody:audio. The patch now
> seems to start the daemon as festival:festival. This is certainly an
> improvement, but I am uncertain whether this will work, because the
> daemon might need group audio to work. On the other hand, starting it
> as festival:audio would still be problematic (but might be acceptable
> if documented).

Running daemon as festival:audio is good idea, README.Debian can be
used to document for this.

By default, we have /etc/init.d/festival is already disabled.

> There is also the problem that it can be configured to allow non-local
> connections (and the README.Debian describes how to do this). This
> would allow remote code execution.

This description need to have big warning ahead or should it remove?

> The cleanest solution would be to disable system(). If that is not
> possible due to the way festival works, there needs to be a big
> warning that all users who can connect to it need to be trusted.

Let me check if I can do this. I think it will be difficult to deal
with it since, festival is using it in many things inside.

So, best way is,
1. Use festival:audio instead of nobody:audio and add festival user to use it
2. Document it with warning in README.Debian

Let me know your opinion, I will provide updated patch then.

Cheers,
-- 
 --------------------------------------------------------
 Kartik Mistry  | Eng: kartikmistry.org/blog
 0xD1028C8D | Guj: kartikm.wordpress.com
 --------------------------------------------------------

Message #37 received at 435445@bugs.debian.org (full text, mbox, reply):

From: "Kartik Mistry" <kartik.mistry@gmail.com>

To: "Stefan Fritsch" <sf@sfritsch.de>, 435445@bugs.debian.org

Cc: "Steve Kemp" <skx@debian.org>

Subject: Re: Bug#435445: [Patch] CVE-2007-4074: priviledge escalation in festival

Date: Thu, 2 Aug 2007 15:10:18 +0530

[Message part 1 (text/plain, inline)]

On 8/2/07, Kartik Mistry <kartik.mistry@gmail.com> wrote:
> Let me know your opinion, I will provide updated patch then.

A better patch is provided,

1. It adds festival as group audio
2. Related changes in festival.init and don't start it as nobody:audio
3. A warning in README.Debian

Thanks,
-- 
 --------------------------------------------------------
 Kartik Mistry  | Eng: kartikmistry.org/blog
 0xD1028C8D | Guj: kartikm.wordpress.com
 --------------------------------------------------------

[Patch4-435445-festival-CVE-2007-4074.diff (text/x-diff, attachment)]

Message #42 received at 435445@bugs.debian.org (full text, mbox, reply):

From: Steve Kemp <skx@debian.org>

To: Kartik Mistry <kartik.mistry@gmail.com>

Cc: Stefan Fritsch <sf@sfritsch.de>, 435445@bugs.debian.org

Subject: Re: Bug#435445: [Patch] CVE-2007-4074: priviledge escalation in festival

Date: Thu, 2 Aug 2007 10:51:42 +0100

On Thu Aug 02, 2007 at 15:10:18 +0530, Kartik Mistry wrote:
> On 8/2/07, Kartik Mistry <kartik.mistry@gmail.com> wrote:
> > Let me know your opinion, I will provide updated patch then.
> 
> A better patch is provided,
> 
> 1. It adds festival as group audio
> 2. Related changes in festival.init and don't start it as nobody:audio
> 3. A warning in README.Debian

  That looks good to me.  I'll prepare a DSA shortly.

Steve
-- 

Message #47 received at 435445@bugs.debian.org (full text, mbox, reply):

From: "Kartik Mistry" <kartik.mistry@gmail.com>

To: "Steve Kemp" <skx@debian.org>

Cc: "Stefan Fritsch" <sf@sfritsch.de>, 435445@bugs.debian.org

Subject: Re: Bug#435445: [Patch] CVE-2007-4074: priviledge escalation in festival

Date: Thu, 2 Aug 2007 15:25:32 +0530

On 8/2/07, Steve Kemp <skx@debian.org> wrote:
>   That looks good to me.  I'll prepare a DSA shortly.

Thanks a lot, steve.

I hope my sponsor will upload tonight to unstable too.

Cheers,
-- 
 --------------------------------------------------------
 Kartik Mistry  | Eng: kartikmistry.org/blog
 0xD1028C8D | Guj: kartikm.wordpress.com
 --------------------------------------------------------

Message #52 received at 435445-close@bugs.debian.org (full text, mbox, reply):

From: Kartik Mistry <kartik.mistry@gmail.com>

To: 435445-close@bugs.debian.org

Subject: Bug#435445: fixed in festival 1.4.3-21

Date: Fri, 03 Aug 2007 02:32:03 +0000

Source: festival
Source-Version: 1.4.3-21

We believe that the bug you reported is fixed in the latest version of
festival, which is due to be installed in the Debian FTP archive:

festival-dev_1.4.3-21_amd64.deb
  to pool/main/f/festival/festival-dev_1.4.3-21_amd64.deb
festival_1.4.3-21.diff.gz
  to pool/main/f/festival/festival_1.4.3-21.diff.gz
festival_1.4.3-21.dsc
  to pool/main/f/festival/festival_1.4.3-21.dsc
festival_1.4.3-21_amd64.deb
  to pool/main/f/festival/festival_1.4.3-21_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 435445@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kartik Mistry <kartik.mistry@gmail.com> (supplier of updated festival package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 2 Aug 2007 13:52:29 +0530
Source: festival
Binary: festival-dev festival
Architecture: source amd64
Version: 1.4.3-21
Distribution: unstable
Urgency: medium
Maintainer: Kartik Mistry <kartik.mistry@gmail.com>
Changed-By: Kartik Mistry <kartik.mistry@gmail.com>
Description: 
 festival   - general multi-lingual speech synthesis system
 festival-dev - development kit for the Festival speech synthesis system
Closes: 427550 435445
Changes: 
 festival (1.4.3-21) unstable; urgency=medium
 .
   * debian/festival.init: fixed CVE-2007-4074: priviledge escalation
     (Closes: #435445)
   * debian/festival.postinst: adding new user festival to audio group
   * debian/README.Debian: added warning about possible security flow
   * debian/control: updated dependency of sysv-rc, added dependency on adduser
   * debian/rules: a better clean target
   * lib/languages.scm: fixed typo from previous patch, Thanks to Niko Tyni
     <ntyni@iki.fi> for this (Closes: #427550)
Files: 
 42641d112cc7c6faea62773cef6f62a1 670 sound optional festival_1.4.3-21.dsc
 99045492b4cc6825ee383e95171e4a9c 33973 sound optional festival_1.4.3-21.diff.gz
 2def65145a2a401052319bf9f61f7eee 710268 sound optional festival_1.4.3-21_amd64.deb
 1583507f8adaf1aae593dad69e3b1ec7 446484 libdevel optional festival-dev_1.4.3-21_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGso/tFyn1hmqfPDgRAlpMAJ9jZJK7/FAQ6C4lTAz2A0vdR/zakgCgvLRk
+sURxcHR0hg+HMTTvpm/1lw=
=ICBl
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.