Bug#435445: [Patch] CVE-2007-4074: priviledge escalation in festival

[Kartik Mistry]

On 8/2/07, Kartik Mistry <[EMAIL PROTECTED]> wrote:
> Let me know your opinion, I will provide updated patch then.

A better patch is provided,

1. It adds festival as group audio
2. Related changes in festival.init and don't start it as nobody:audio
3. A warning in README.Debian

Thanks,
-- 
 --------------------------------------------------------
 Kartik Mistry  | Eng: kartikmistry.org/blog
 0xD1028C8D | Guj: kartikm.wordpress.com
 --------------------------------------------------------

diff -u tmp/festival-1.4.3-orig/debian/changelog festival-1.4.3/debian/changelog
--- tmp/festival-1.4.3-orig/debian/changelog	2007-08-02 19:38:32.000000000 +0530
+++ festival-1.4.3/debian/changelog	2007-08-02 19:40:26.000000000 +0530
@@ -1,3 +1,13 @@
+festival (1.4.3-21) unstable; urgency=medium
+
+  * debian/festival.init: fixed CVE-2007-4074: priviledge escalation
+    (Closes: #435445)
+  * debian/festival.postinst: adding new user festival to audio group
+  * debian/README.Debian: added warning about possible security flow
+  * debian/control: added dependency on adduser
+
+ -- Kartik Mistry <[EMAIL PROTECTED]>  Thu, 2 Aug 2007 13:52:29 +0530
+
 festival (1.4.3-20) unstable; urgency=low
 
   * debian/control: Added file-rc along with sysv-rc in Depends for systems
diff -u tmp/festival-1.4.3-orig/debian/control festival-1.4.3/debian/control
--- tmp/festival-1.4.3-orig/debian/control	2007-08-01 20:53:01.000000000 +0530
+++ festival-1.4.3/debian/control	2007-08-02 19:27:22.000000000 +0530
@@ -7,7 +7,7 @@
 
 Package: festival
 Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}, lsb-base (>= 3.0-10), sysv-rc (>= 2.86.ds1) | file-rc
+Depends: ${shlibs:Depends}, ${misc:Depends}, adduser, lsb-base (>= 3.0-10), sysv-rc (>= 2.86.ds1) | file-rc
 Recommends: festvox-kallpc16k | festival-voice
 Conflicts: festvox-rablpc8k (<< 1.4.0-2), festvox-rablpc16k (<< 1.4.0-2), festvox-kdlpc16k (<< 1.4.0-4), festvox-kdlpc8k (<< 1.4.0-5), festvox-don (<< 1.4.0-3), festvox-ellpc11k (<< 1.4.0-1), festlex-cmu (<< 1.4.0-3), festlex-oald (<< 1.4.0-2), festlex-poslex (<< 1.4.0-3)
 Suggests: festival-gaim, gstreamer0.8-festival
diff -u tmp/festival-1.4.3-orig/debian/festival.init festival-1.4.3/debian/festival.init
--- tmp/festival-1.4.3-orig/debian/festival.init	2007-08-01 20:53:01.000000000 +0530
+++ festival-1.4.3/debian/festival.init	2007-08-01 20:40:53.000000000 +0530
@@ -40,7 +40,7 @@
 case "$1" in
   start)
     log_daemon_msg "Starting Festival server" "$NAME"
-    start-stop-daemon --start --chuid nobody:audio --background \
+    start-stop-daemon --start --chuid festival --background \
 		--exec $DAEMON -- --server
     log_end_msg 0
     ;;
@@ -52,7 +52,7 @@
   restart|reload|force-reload)
     log_daemon_msg "Restarting Festival server" "$NAME"
     start-stop-daemon --stop --oknodo --exec $REALPROC
-    start-stop-daemon --start --chuid nobody:audio --background \
+    start-stop-daemon --start --chuid festival --background \
 		--exec $DAEMON -- --server
     log_end_msg 0
     ;;
diff -u tmp/festival-1.4.3-orig/debian/festival.postinst festival-1.4.3/debian/festival.postinst
--- tmp/festival-1.4.3-orig/debian/festival.postinst	2007-08-01 20:53:01.000000000 +0530
+++ festival-1.4.3/debian/festival.postinst	2007-08-02 19:28:59.000000000 +0530
@@ -7,4 +7,9 @@
        rm -f /etc/rc0.d/K20festival /etc/rc6.d/K20festival
 fi
 
+# Create festival user if it doesn't already exist.
+if ! getent passwd festival >/dev/null; then
+       adduser festival --quiet --system --ingroup audio --no-create-home
+fi
+
 #DEBHELPER#
diff -u tmp/festival-1.4.3-orig/debian/README.Debian festival-1.4.3/debian/README.Debian
--- tmp/festival-1.4.3-orig/debian/README.Debian	2007-08-01 20:53:01.000000000 +0530
+++ festival-1.4.3/debian/README.Debian	2007-08-02 19:36:42.000000000 +0530
@@ -9,7 +9,15 @@
 
  Feel free to submit patches.
 
- If you want to enable the Festival server code, you need to do two things:
+ Warning:
+
+ The following process may give access of your machine to another
+ users. Please take care and don't allow server other than localhost or
+ 127.0.0.1 or trusted users.
+
+ We have festival daemon running as festival user and audio group.
+
+ If you want to enable the Festival server as daemon, you need to do two things:
 
  - Remove or comment the "exit 0" near the beginning of /etc/init.d/festival.
  - Set the 'server_access_list' variable to the host names you want to grant