Bug 650556 (CVE-2010-3996)

Summary: CVE-2010-3996 festival: insecure library loading vulnerability
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: davidz, mattdm
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-11-07 01:38:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Vincent Danen 2010-11-07 01:32:28 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-3996 to
the following vulnerability:

Name: CVE-2010-3996
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3996
Assigned: 20101019
Reference: MLIST:[opensuse-updates] 20101022 openSUSE-SU-2010:0756-1 (moderate): festival security update
Reference: URL: http://lists.opensuse.org/opensuse-updates/2010-10/msg00028.html
Reference: CONFIRM: https://bugzilla.novell.com/show_bug.cgi?id=642507
Reference: BID:44395
Reference: URL: http://www.securityfocus.com/bid/44395

festival_server in Centre for Speech Technology Research (CSTR)
Festival, probably 2.0.95-beta and earlier, places a zero-length
directory name in the LD_LIBRARY_PATH, which allows local users to
gain privileges via a Trojan horse shared library in the current
working directory.
Comment 1 Vincent Danen 2010-11-07 01:38:22 UTC 
This issue does not affect the version of festival as provided with Red Hat Enterprise Linux 3, 4, or 5.  It also does not affect any version of festival as provided with Fedora (none of the festival_server scripts manipulate LD_LIBRARY_PATH at all).  Perhaps this is a 2.x "feature".
Comment 2 Vincent Danen 2010-11-07 01:38:49 UTC 
Statement:

Not vulnerable. This issue did not affect the versions of festival as shipped with Red Hat Enterprise Linux 3, 4, or 5.