On Tue, 19 Feb 2008, Kumar Appaiah wrote:
On Tue, Feb 19, 2008 at 12:16:14PM +0100, Nico Golde wrote:
Hi Tim,
this is somehow strange, this CVE id was already fixed in
1.4.3-21 referring to the security tracker (see bug #435445
for reference).
Did this fix got lost somewhere in the package history?
It appears that the troublesome issue of running festival as a less
privileged user was handled in the last upload. However, what was not
handled was the restriction of accesss to localhost by default, and
the necessity to introduce a password for this purpose. The last
upload, which Tim has checked a few times, introduces this feature,
and thus, makes the security aspect a bit more complete.
Hope this is fine. Thanks for the follow up.
This is my impression too. Gentoo introduced localhost restrictions in
their patch for the original issue, in addition to changing the init
process of the server so that it run under its own privileges rather than
root- they didn't add authentication though. The Debian patch only changed the
init process of the server, which while preventing a full root compromise,
did not prevent remote unauthenticated access.
Looking at the previous bug history there was some discussion about
disabling the system command too, but IMO this does little to fix the
underlying problem of an unauthenticated scheme interpreter bound to a
remote port with no ACLs or authentication.
Tim
--
Tim Brown
<mailto:[EMAIL PROTECTED]>
<http://www.nth-dimension.org.uk/>
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
