Package: festival Severity: normal Tags: security
It seems festival in daemon mode allows any local user to execute arbitrary commands as nobody:audio using the system() command. This is problematic because - there could be other daemons running as user nobody. These could be influenced/killed by any local user. - it could be used by a user not in group audio to access a microphone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
