Package: yiff-server Version: 2.14.2-7 Severity: critical Tags: security Justification: root security hole
The yiff server, by default, will run as the root user, even though it only requires privileges to access the audio devices (/dev/dsp and /dev/mixer), no effort is make by the package to create an specific user and run the server as such. This means that this opens up yiff-server to, at least, local attacks, since the localhost is always allowed access to the yiff server. Thus, a rogue (local) user can get the yiff-server to (try to) open up any local file. This can have bad consequences if a local user forces the yiff server to open up a device file if even reading it might be dangerous (consider the case, for example, if you can make the server read a hard disk drive). The server does not make any effort to review the files it is requested, it will just open whatever is provided and try to determine if it's a Wav, Voc, or Raw file and try to play it. This day and age, servers like yiff should run a) under a non-priviledged user b) chrooted, if possible, so that it will only be able to access a set of files c) do input checks to prevent it from going places it did not expect, for example, the server could only allow relative patchs and resolve them to a fixed directory (/var/spool/yiff or whatever) It looks like the code of the server has not been audited for security issues, which adds even more reasons to have this running as non-root in the default Debian installation. Regards Javier -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.4.27-2-686 Locale: LANG=es_ES, LC_CTYPE=es_ES (charmap=ISO-8859-1) Versions of packages yiff-server depends on: ii debconf [debconf-2.0] 1.4.58 Debian configuration management sy ii libc6 2.3.5-6 GNU C Library: Shared libraries an ii liby2-14 2.14.2-7 Y Sound Server Library yiff-server recommends no packages. -- debconf information excluded -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
