CVE-2007-4074 | Ubuntu

Description

The default configuration of Centre for Speech Technology Research (CSTR) Festival 1.95 beta (aka 2.0 beta) on Gentoo Linux, SUSE Linux, and possibly other distributions, is run locally with elevated privileges without requiring authentication, which allows local and remote attackers to execute arbitrary commands via the local daemon on port 1314, a different vulnerability than CVE-2001-0956. NOTE: this issue is local in some environments, but remote on others.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
festival	9.04 jaunty	Fixed 1.96~beta-5ubuntu2
	8.10 intrepid	Fixed 1.96~beta-5ubuntu2
	8.04 LTS hardy	Fixed 1.96~beta-5ubuntu2
	7.10 gutsy	Ignored end of life, was needed
	7.04 feisty	Ignored end of life, was needed
	6.10 edgy	Ignored end of life, was needed
	6.06 LTS dapper	Ignored end of life

Notes

kees

not as serious as in Gentoo, Debian's festival runs as nobody

jdstrand

in addition to running as nobody, it also does not start on boot by default (must edit the initscript) in dapper - gutsy (but does on hardy) fix would likely include documentation fixes with a big warning in the initscript

jstrand

fix not released for gutsy, as debian bug #435445 did not fully address the issue

jdstrand

hardy runs server by default (1.96~beta-5ubuntu1) marked hardy as fixed-- don't start server by default, non-prvileged user and notes on using --server

References

Other references

https://www.cve.org/CVERecord?id=CVE-2007-4074