On Tuesday 19 February 2008 20:12:29 Nico Golde wrote:
> > It
> > probably also needs rewording since SuSE confirmed it affected them and I
> > think we agree it affects Debian. How do we go about doing that - is
> > that something for you guys or do I need to get involved?
>
> I see your point, I will contact mitre to update the CVE id
> or to assign a new one.
No news from MITRE? At least their CVE entry doesn't appear to be updated.
> I guess they will happily release a DSA if someone comes up
> and provides a fixed stable package that just works.
I've attached a patch that I think resolves this issue on stable - no
warranties. Just wanted to make this final email as I'm intending to release
my advisory shortly subject to any updates here.
Tim
--
Tim Brown
<mailto:[EMAIL PROTECTED]>
<http://www.nth-dimension.org.uk/>
diff -rN festival-1.4.3/debian/changelog festival-1.4.3-new/debian/changelog
0a1,18
> festival (1.4.3-17.3) unstable; urgency=high
>
> * Fix root security hole. Thanks to Tim Brown.
> + debian/festival.init: Read festival.scm upon start.
> (Closes: #466146)
> * debian/festival.scm:
> + Add sane default values for server. The festival
> init script now uses these values while starting the
> server.
> * debian/README.Debian:
> + Document some changes on daemon mode.
> * debian/templates, debian/config, debian/festival.postinst:
> + Ask for server password during install.
> * debian/lintian-override:
> + Permission of /etc/festival.scm should be 0600.
>
> -- Tim Brown <[EMAIL PROTECTED]> Sat, 01 Mar 2008 12:40:33 +0000
>
diff -rN festival-1.4.3/debian/config festival-1.4.3-new/debian/config
0a1,20
> #!/bin/sh -e
>
> # Source debconf library.
> . /usr/share/debconf/confmodule
>
> # grab selected config values from the config file and store them
> # in debconf's database
>
> # first grab existing value (keep config file's existing value)
> CONFIG_FILE=/etc/festival.scm
>
> # to help security, let password be entered afresh each time
> # (and don't display the value left in the debconf database of
> # "password written to config file")
> db_set festival/server_passwd ""
>
> db_input critical festival/server_passwd || true
>
> db_go || true
> db_stop || true
diff -rN festival-1.4.3/debian/festival.init festival-1.4.3-new/debian/festival.init
27c27
< --exec $DAEMON -- --server
---
> --exec $DAEMON -- --server -b /etc/festival.scm
39c39
< --exec $DAEMON -- --server
---
> --exec $DAEMON -- --server -b /etc/festival.scm
diff -rN festival-1.4.3/debian/festival.postinst festival-1.4.3-new/debian/festival.postinst
0a1,50
> #!/bin/sh
>
> set -e
>
> . /usr/share/debconf/confmodule
>
> # write selected values into config file
> CONFIG_FILE=/etc/festival.scm
>
> PASSWD_ENTRY=server_passwd
>
> PASSWD=your_festival_passwd
> db_get festival/server_passwd
> PASSWD="$RET"
> # insert the entry, if it is missing (which it ought not to be)
> grep -Eq "^[[:blank:]]*\(set![[:blank:]][[:blank:]]*$PASSWD_ENTRY[[:blank:]]" $CONFIG_FILE || \
> echo "(set! $PASSWD_ENTRY \"$PASSWD\")" >> $CONFIG_FILE
>
> # only process the password if it is not empty
> if [ "$PASSWD" ]; then
> # copy config file here in order to preserve permissions when actually
> # building the tmp file in the sed step
> cp -a -f $CONFIG_FILE $CONFIG_FILE.tmp
>
> # escape sed special characters
> #echo $PASSWD | sed -n 's|[\|\$\&\.\*\%\^\+\?]|\\&|g'
> PASSWD=$(echo $PASSWD | sed 's|[\[\(\)\|\$\&\.\*\%\^\+\?\/]|\\&|g')
> sed -e "s/(set.[[:blank:]]\+$PASSWD_ENTRY.*)/(set! $PASSWD_ENTRY \"$PASSWD\")/" \
> < $CONFIG_FILE > $CONFIG_FILE.tmp
>
> mv -f $CONFIG_FILE.tmp $CONFIG_FILE
> # remove the password from the debconf database
> db_set festival/server_passwd "password written to config file"
>
> fi
>
> # extra safety check: ensure passwords in config file cannot be read by anyone
> chown nobody /etc/festival.scm
> chmod og-r $CONFIG_FILE
>
> # Supporta log file
> mkdir -p /var/log/festival
> touch /var/log/festival/festival.log
> chown nobody:audio /var/log/festival/festival.log
>
> # must indicate we are done with debconf, or the script will hang when the
> # server is started below (DEBHELPER section, via dh_installinit).
> db_stop
>
> #DEBHELPER#
diff -rN festival-1.4.3/debian/festival.postrm festival-1.4.3-new/debian/festival.postrm
4a5,9
> if [ "$1" = "purge" ];then
> rm -rf /var/log/festival
> rm -f /etc/festival.scm
> fi
>
diff -rN festival-1.4.3/debian/festival.scm festival-1.4.3-new/debian/festival.scm
3a4,23
>
> ; Maximum number of clients on the server
> (set! server_max_clients 10)
>
> ; Server port
> (set! server_port 1314)
>
> ; Server password
> (set! server_passwd nil)
>
> ; Log file location
> (set! server_log_file "/var/log/festival/festival.log")
>
> ; Server access list (hosts)
> ; Example:
> ; (set! server_access_list '("[^.]+" "127.0.0.1" "localhost.*" "192.168.*"))
> ; Secure default:
> (set! server_access_list '("[^.]+" "127.0.0.1" "localhost"))
>
> ; Server deny list (hosts)
diff -rN festival-1.4.3/debian/lintian.override festival-1.4.3-new/debian/lintian.override
1a2,4
> # We use a non-standard permission to help protect passwords in
> # /etc/festival.scm
> festival binary: non-standard-file-perm etc/festival.scm 0600 != 0644
diff -rN festival-1.4.3/debian/rules festival-1.4.3-new/debian/rules
74a75
> dh_installdebconf
diff -rN festival-1.4.3/debian/templates festival-1.4.3-new/debian/templates
0a1,7
> Template: festival/server_passwd
> Type: password
> Default: your_festival_passwd
> _Description: Server password:
> In order to secure the festival server from unauthorized access,
> you must enter a password here which can be used to ensure
> that clients are not allowed access without authentication.
