Your message dated Tue, 25 Oct 2005 08:02:08 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#334616: fixed in yiff 2.14.2-8
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 19 Oct 2005 00:03:45 +0000
>From [EMAIL PROTECTED] Tue Oct 18 17:03:45 2005
Return-path: <[EMAIL PROTECTED]>
Received: from 148.red-213-96-98.staticip.rima-tde.net (javifsp.no-ip.org)
[213.96.98.148] (Debian-exim)
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1ES1Qm-0008AC-00; Tue, 18 Oct 2005 17:03:45 -0700
Received: from jfs by javifsp.no-ip.org with local (Exim 4.52)
id 1ES1Qj-0003hH-IP; Wed, 19 Oct 2005 02:03:42 +0200
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Javier Fernandez-Sanguino Pen~a <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: yiff-server: runs as root and opens any file a client asks for
X-Mailer: reportbug 3.17
Date: Wed, 19 Oct 2005 02:03:41 +0200
X-Debbugs-Cc: Debian Security Team <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02
Package: yiff-server
Version: 2.14.2-7
Severity: critical
Tags: security
Justification: root security hole
The yiff server, by default, will run as the root user, even though it
only requires privileges to access the audio devices (/dev/dsp and
/dev/mixer), no effort is make by the package to create an specific user
and run the server as such.
This means that this opens up yiff-server to, at least, local attacks,
since the localhost is always allowed access to the yiff server. Thus, a
rogue (local) user can get the yiff-server to (try to) open up any local
file. This can have bad consequences if a local user forces the yiff
server to open up a device file if even reading it might be dangerous
(consider the case, for example, if you can make the server read a hard
disk drive).
The server does not make any effort to review the files it is requested,
it will just open whatever is provided and try to determine if it's a
Wav, Voc, or Raw file and try to play it.
This day and age, servers like yiff should run
a) under a non-priviledged user
b) chrooted, if possible, so that it will only be able to access a set
of files
c) do input checks to prevent it from going places it did not expect,
for example, the server could only allow relative patchs and resolve
them to a fixed directory (/var/spool/yiff or whatever)
It looks like the code of the server has not been audited for security
issues, which adds even more reasons to have this running as non-root in
the default Debian installation.
Regards
Javier
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.4.27-2-686
Locale: LANG=es_ES, LC_CTYPE=es_ES (charmap=ISO-8859-1)
Versions of packages yiff-server depends on:
ii debconf [debconf-2.0] 1.4.58 Debian configuration management sy
ii libc6 2.3.5-6 GNU C Library: Shared libraries an
ii liby2-14 2.14.2-7 Y Sound Server Library
yiff-server recommends no packages.
-- debconf information excluded
---------------------------------------
Received: (at 334616-close) by bugs.debian.org; 25 Oct 2005 15:11:27 +0000
>From [EMAIL PROTECTED] Tue Oct 25 08:11:27 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
id 1EUQJU-0003Ey-00; Tue, 25 Oct 2005 08:02:08 -0700
From: Phil Brooke <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#334616: fixed in yiff 2.14.2-8
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Tue, 25 Oct 2005 08:02:08 -0700
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Source: yiff
Source-Version: 2.14.2-8
We believe that the bug you reported is fixed in the latest version of
yiff, which is due to be installed in the Debian FTP archive:
liby-dev_2.14.2-8_i386.deb
to pool/main/y/yiff/liby-dev_2.14.2-8_i386.deb
liby2-14_2.14.2-8_i386.deb
to pool/main/y/yiff/liby2-14_2.14.2-8_i386.deb
yiff-server_2.14.2-8_i386.deb
to pool/main/y/yiff/yiff-server_2.14.2-8_i386.deb
yiff_2.14.2-8.diff.gz
to pool/main/y/yiff/yiff_2.14.2-8.diff.gz
yiff_2.14.2-8.dsc
to pool/main/y/yiff/yiff_2.14.2-8.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Phil Brooke <[EMAIL PROTECTED]> (supplier of updated yiff package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 25 Oct 2005 15:11:44 +0100
Source: yiff
Binary: liby-dev liby2-14 yiff-server
Architecture: source i386
Version: 2.14.2-8
Distribution: unstable
Urgency: low
Maintainer: Phil Brooke <[EMAIL PROTECTED]>
Changed-By: Phil Brooke <[EMAIL PROTECTED]>
Description:
liby-dev - Y Sound Server Library Header Files
liby2-14 - Y Sound Server Library
yiff-server - Y Sound Server
Closes: 334616
Changes:
yiff (2.14.2-8) unstable; urgency=low
.
* Added patch from Javier Fernandez-Sanguino Pen~a (closes: #334616)
with the following changes:
* Create a user 'yiff' (group 'yiff') to run the yiff-server, its home
directory is /var/lib/yiff (currently unused, but could be used to setup
a chroot)
- new debian/yiff-server.preinst that creates the user and assigns it
to the 'audio' group
- modified debian/yiff-server.postrm to remove the user and the new
files (/var/lib/yiff) as well as the new PID location (/var/run/yiff/)
- modified debian/yiff-server.init so that it runs as the 'yiff' user
- adjusted location of PIDFILE in yiff/main.c to point to
/var/run/yiff/yiff.pid
* Pre-Depends on adduser as we use it on preinst
Files:
fbf44369d55b9efc0b6ced04b55d18a7 664 libs optional yiff_2.14.2-8.dsc
f2bf1769ed01c5b4a55e8db17bed2ce2 31623 libs optional yiff_2.14.2-8.diff.gz
651ab65c4b04cff9f4c5d1a69ec9fd09 149346 sound optional
yiff-server_2.14.2-8_i386.deb
858dc42d616be4d1d403f1b67b421773 32650 libs optional liby2-14_2.14.2-8_i386.deb
f4fd5446d5a66cfa3c679bb14869f1b7 89974 libdevel optional
liby-dev_2.14.2-8_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDXkToHb8HEVCXO5ERAskFAKCj+1BhP9j3gdxzMcYjf26Gpd27xgCgztTb
I4WVpwmsM1EEEDGn9q30YxU=
=sznA
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
