Lucene search

Gentoo FoundationGLSA-201312-06

HistoryDec 09, 2013 - 12:00 a.m.

Festival: Arbitrary code execution

2013-12-0900:00:00

Gentoo Foundation

security.gentoo.org

CVSS2

6.9

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:M/Au:N/C:C/I:C/A:C

EPSS

Percentile

5.1%

JSON

Background

Festival is a Text to Speech Engine from The Centre for Speech Technology Research.

Description

A vulnerability in Festival Server has an incorrect path in LD_LIBRARY_PATH, which allows local users to place a Trojan horse shared library in the current working directory.

Impact

A local attacker can execute arbitrary a Trojan horse shared library, potentially resulting in arbitrary code execution and privilege escalation.

Workaround

There is no known workaround at this time.

Resolution

All Festival users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose "&gt;=app-accessibility/festival-2.1"

OSVersionArchitecturePackageVersionFilename
Gentooanyallapp-accessibility/festival< 2.1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Gentoo	any	all	app-accessibility/festival	< 2.1	UNKNOWN

CVSS2

6.9

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:M/Au:N/C:C/I:C/A:C

EPSS

Percentile

5.1%

JSON

Related for GLSA-201312-06