Re: intent to package Festival::Client Perl module

To: debian-devel@lists.debian.org
Cc: debian-devel@lists.debian.org
Subject: Re: intent to package Festival::Client Perl module
From: Roderick Schertler <roderick@argon.org>
Date: Wed, 28 Oct 1998 18:59:54 -0500
Message-id: <[🔎] 1086.909619194@eeyore.ibcinc.com>
In-reply-to: Your message of "Wed, 28 Oct 1998 13:28:52 PST."
References: <[🔎] 20448.909593224@eeyore.ibcinc.com> <[🔎] 19981028131839.J1925@kitenet.net> <[🔎] 27895.909610037@eeyore.ibcinc.com> <[🔎] 19981028132852.L1925@kitenet.net>

On Wed, 28 Oct 1998 13:28:52 -0800, Joey Hess <joey@kitenet.net> said:
>
> Note that running festival in server mode is an enourmous security
> hole. A festival server can be made to read and probably write to
> arbitrary files on the system.

Thanks, I didn't realize that (I don't know Scheme, all I've used so far
is the SayText function).  I'll put some words to this effect in the
package's description.

> I've talked to the authors about this, but they don't seem too
> interested in fixing it.

Perhaps they'd be amenable to adding an option which tells the server
the address to bind() to.  This would be a simple change and it would
allow one to restrict connections to localhost, at least.

-- 
Roderick Schertler
roderick@argon.org

Reply to:

References:
- intent to package Festival::Client Perl module
  - From: Roderick Schertler <roderick@argon.org>
- Re: intent to package Festival::Client Perl module
  - From: Joey Hess <joey@kitenet.net>
- Re: intent to package Festival::Client Perl module
  - From: Roderick Schertler <roderick@argon.org>
- Re: intent to package Festival::Client Perl module
  - From: Joey Hess <joey@kitenet.net>

Prev by Date: Re: Large-scale debian installation, request help
Next by Date: Re: Files which do not belong to installed packages...
Previous by thread: Re: intent to package Festival::Client Perl module
Next by thread: New package available: xmeter
Index(es):
- Date
- Thread