Gentoo Logo

Festival: Privilege elevation

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200707-10 / festival
Release Date July 25, 2007
Latest Revision July 25, 2007: 01
Impact high
Exploitable local
Package Vulnerable versions Unaffected versions Architecture(s)
app-accessibility/festival < 1.95_beta-r4 >= 1.95_beta-r4 All supported architectures

Related bugreports: #170477

Synopsis

A vulnerability has been discovered in Festival, allowing for a local privilege escalation.

2.  Impact Information

Background

Festival is a text-to-speech accessibility program.

Description

Konstantine Shirow reported a vulnerability in default Gentoo configurations of Festival. The daemon is configured to run with root privileges and to listen on localhost, without requiring a password.

Impact

A local attacker could gain root privileges by connecting to the daemon and execute arbitrary commands.

3.  Resolution Information

Workaround

Set a password in the configuration file /etc/festival/server.scm by adding the line: (set! server_passwd password)

Resolution

All Festival users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=app-accessibility/festival-1.95_beta-r4"


Print

Page updated July 25, 2007

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.