Fix CVE-2010-3996

(cherry picked from commit d173e0d612111d8b766d096f3390612c525bb64e)

CVE-2010-3996-festival-no-LD_LIBRARY_PATH-extension.patch

@@ -0,0 +1,83 @@
+From aad72cc9d7d9788daef801ad95d4ce5e873d2b76 Mon Sep 17 00:00:00 2001
+From: starlet-dx <15929766099@163.com>
+Date: Mon, 14 Mar 2022 15:01:27 +0800
+Subject: [PATCH 1/1] festival-no-LD_LIBRARY_PATH-extension
+
+---
+ src/scripts/shared_script    | 19 -------------------
+ src/scripts/shared_setup_prl |  8 --------
+ src/scripts/shared_setup_sh  | 18 ------------------
+ 3 files changed, 45 deletions(-)
+
+diff --git a/src/scripts/shared_script b/src/scripts/shared_script
+index 736034d..5c17b7e 100644
+--- a/src/scripts/shared_script
++++ b/src/scripts/shared_script
+@@ -1,24 +1,5 @@
+ #!/bin/sh
+ 
+-# Festival shared script
+-
+-extend() {
+-	var="$1"
+-	extra="$2"
+-	eval "val=\$$var"
+-	
+-	if [ -n "$val" ]
+-		then
+-		val="$extra:$val"
+-	else
+-		val="$extra"
+-	fi
+-	eval "$var='$val'"
+-	eval "export $var"
+-	}
+-
+-extend LD_LIBRARY_PATH "__EST__/lib:__LDPATH__"
+-
+ exec __MAIN__/__PROGRAM__ "$@"
+ 
+ exit 0
+diff --git a/src/scripts/shared_setup_prl b/src/scripts/shared_setup_prl
+index eba11ff..139597f 100644
+--- a/src/scripts/shared_setup_prl
++++ b/src/scripts/shared_setup_prl
+@@ -1,10 +1,2 @@
+ 
+-if (defined($ENV{LD_LIBRARY_PATH}))
+-	{
+-	$ENV{LD_LIBRARY_PATH} = "__TOP__/lib:__LDPATH__:$ENV{LD_LIBRARY_PATH}";
+-	}
+-else
+-	{
+-	$ENV{LD_LIBRARY_PATH} = "__TOP__/lib";
+-	} 
+ 
+diff --git a/src/scripts/shared_setup_sh b/src/scripts/shared_setup_sh
+index ae45097..139597f 100644
+--- a/src/scripts/shared_setup_sh
++++ b/src/scripts/shared_setup_sh
+@@ -1,20 +1,2 @@
+ 
+-# festival shared setup 
+-
+-extend() {
+-	var="$1"
+-	extra="$2"
+-	eval "val=\$$var"
+-	
+-	if [ -n "$val" ]
+-		then
+-		val="$extra:$val"
+-	else
+-		val="$extra"
+-	fi
+-	eval "$var='$val'"
+-	eval "export $var"
+-	}
+-
+-extend LD_LIBRARY_PATH "__EST__/lib:__LDPATH__"
+ 
+-- 
+2.30.0
+

CVE-2010-3996-festival-safe-temp-file.patch

@@ -0,0 +1,27 @@
+Index: festival/src/scripts/festival_server.sh
+===================================================================
+--- festival.orig/src/scripts/festival_server.sh
++++ festival/src/scripts/festival_server.sh
+@@ -210,14 +210,19 @@ trap "handle_term" 0
+ 
+ if $show
+     then
+-    create_server_startup $port $server_log /tmp/$$ 3>/dev/null
++    tmpfile=`mktemp -q`
++    if test $? -ne 0; then
++        echo "Error while getting configuration."
++        exit 1
++    fi
++    create_server_startup $port $server_log "$tmpfile" 3>/dev/null
+     fl=false
+     while read l
+ 	do
+ 	if $fl ; then echo $l ; fi
+ 	if [ "$l" = ";---" ] ; then fl=true ; fi
+-    done </tmp/$$ 
+-    /bin/rm -f /tmp/$$
++    done < "$tmpfile"
++    /bin/rm -f "$tmpfile"
+     exit 0
+ fi
+ 

CVE-2010-3996-speech_tools-no-LD_LIBRARY_PATH-extension.patch

@@ -0,0 +1,83 @@
+From 940c9fa430199725a750f500b32d656c3a91e3cf Mon Sep 17 00:00:00 2001
+From: starlet-dx <15929766099@163.com>
+Date: Mon, 14 Mar 2022 15:18:45 +0800
+Subject: [PATCH 1/1] speech_tools-no-LD_LIBRARY_PATH-extension
+
+---
+ speech_tools/scripts/shared_script    | 19 -------------------
+ speech_tools/scripts/shared_setup_prl |  8 --------
+ speech_tools/scripts/shared_setup_sh  | 18 ------------------
+ 3 files changed, 45 deletions(-)
+
+diff --git a/speech_tools/scripts/shared_script b/speech_tools/scripts/shared_script
+index ca3e1b5..5c17b7e 100644
+--- a/speech_tools/scripts/shared_script
++++ b/speech_tools/scripts/shared_script
+@@ -1,24 +1,5 @@
+ #!/bin/sh
+ 
+-# EST shared script
+-
+-extend() {
+-	var="$1"
+-	extra="$2"
+-	eval "val=\$$var"
+-	
+-	if [ -n "$val" ]
+-		then
+-		val="$extra:$val"
+-	else
+-		val="$extra"
+-	fi
+-	eval "$var='$val'"
+-	eval "export $var"
+-	}
+-
+-extend LD_LIBRARY_PATH "__LIB__:__LDPATH__"
+-
+ exec __MAIN__/__PROGRAM__ "$@"
+ 
+ exit 0
+diff --git a/speech_tools/scripts/shared_setup_prl b/speech_tools/scripts/shared_setup_prl
+index eba11ff..139597f 100644
+--- a/speech_tools/scripts/shared_setup_prl
++++ b/speech_tools/scripts/shared_setup_prl
+@@ -1,10 +1,2 @@
+ 
+-if (defined($ENV{LD_LIBRARY_PATH}))
+-	{
+-	$ENV{LD_LIBRARY_PATH} = "__TOP__/lib:__LDPATH__:$ENV{LD_LIBRARY_PATH}";
+-	}
+-else
+-	{
+-	$ENV{LD_LIBRARY_PATH} = "__TOP__/lib";
+-	} 
+ 
+diff --git a/speech_tools/scripts/shared_setup_sh b/speech_tools/scripts/shared_setup_sh
+index 64f0ba9..139597f 100644
+--- a/speech_tools/scripts/shared_setup_sh
++++ b/speech_tools/scripts/shared_setup_sh
+@@ -1,20 +1,2 @@
+ 
+-# EST shared setup 
+-
+-extend() {
+-	var="$1"
+-	extra="$2"
+-	eval "val=\$$var"
+-	
+-	if [ -n "$val" ]
+-		then
+-		val="$extra:$val"
+-	else
+-		val="$extra"
+-	fi
+-	eval "$var='$val'"
+-	eval "export $var"
+-	}
+-
+-extend LD_LIBRARY_PATH "__TOP__/lib:__LDPATH__"
+ 
+-- 
+2.30.0
+

festival.spec

@@ -1,6 +1,6 @@
 Name:           festival
 Version:        1.96
-Release:        42
+Release:        43
 Summary:        Festival Speech Synthesis System
 License:        MIT and GPL+ and TCL
 URL:            http://www.cstr.ed.ac.uk/projects/festival/
@@ -53,6 +53,10 @@ Patch96:        festival.gcc47.patch
 Patch97:        no-shared-data.patch
 Patch98:        festival-1.96-server-script-typo.patch
 Patch99:        festival-gcc7.patch
+#https://build.opensuse.org/package/show/openSUSE:Factory/festival
+Patch100:       CVE-2010-3996-festival-no-LD_LIBRARY_PATH-extension.patch
+Patch101:       CVE-2010-3996-festival-safe-temp-file.patch
+Patch102:       CVE-2010-3996-speech_tools-no-LD_LIBRARY_PATH-extension.patch
 
 BuildRequires:  gcc gcc-c++ pulseaudio-libs-devel texi2html ncurses-devel
 Requires(post): /sbin/ldconfig
@@ -164,6 +168,9 @@ done
 %patch97 -p1
 %patch98
 %patch99 -p1
+%patch100 -p1
+%patch101 -p1
+%patch102 -p1
 
 rm festdoc-%{docversion}/speech_tools/doc/index_html.jade
 rm festdoc-%{docversion}/speech_tools/doc/tex_stuff.jade
@@ -347,6 +354,9 @@ fi
 %{_mandir}/man1/*
 
 %changelog
+* Tue Mar 15 2022 yaoxin <yaoxin30@huawei.com> - 1.96-43
+- Fix CVE-2010-3996
+
 * Thu Nov 26 2020 Guoshuai Sun <sunguoshuai@huawei.com> - 1.96-42
 - install-info should be executed before the help package is uninstalled