Info

Disclosure

Oct 19, 2005

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

YIFF Sound Systems contains a flaw that may lead to an unauthorized information disclosure. The Yiff server runs as root and does not attempt to check file permissions, which allows a local attacker to play back arbitrary files, resulting in a loss of confidentiality.

Classification

Location: Local Access Required
Attack Type: Information Disclosure
Impact: Loss of Confidentiality
Exploit: Exploit Public
Disclosure: OSVDB Verified, Vendor Verified

Solution

Currently, there are no known upgrades, patches, or workarounds available to correct this issue. However, Javier Fernández-Sanguino Peña has released an unofficial Debian-specific patch to address this vulnerability.

Products

Wolfpack Entertainment	YIFF Sound Systems	2.14.2
		2.14.5

References

Bugtraq ID: 15140
Secunia Advisory ID: 17242
CVE ID: 2005-3268 (see also: NVD)
Vendor Specific Solution URL: http://bugs.debian.org/cgi-bin/bugreport.cgi/yiff-drop-privs.diff?bug=334616;msg=27;att=1
Vendor Specific News/Changelog Entry: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=334616
Vendor URL: http://wolfpack.twu.net/YIFF/

Credit

Javier Fernandez-Sanguino Pena - jfscomputer.org -

Direct URL: http://osvdb.org/20074

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Wolfpack Entertainment

YIFF Sound Systems

References

Credit