It has been recently been identified that the Festival text to speech server was vulnerable to unauthenticated remote code execution. Further research indicated that this vulnerability has already been reported as a local privilege escalation against both the Gentoo and SuSE GNU/Linux distributions and had assigned CVE-2007-4074. The remote form of this vulnerability was originally identified in the default configuration of Festival 1.96~beta-5 as distributed in Debian unstable but Ubuntu Hardy Heron was also affected. Both Debian and Ubuntu have since released patches to resolve this flaw. An advisory for this flaw which provides further information is attached. A short analysis of Debian's response can be found at http://www.nth-dimension.org.uk/blog.php?id=68. Cheers, Tim -- Tim Brown <mailto:timb@xxxxxxxxxxxxxxxxxxxx> <http://www.nth-dimension.org.uk/>
Attachment:
NDSA20080215.txt.asc
Description: application/pgp-keys