Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <5525271C.6080907@ruecker.fi>
Date: Wed, 08 Apr 2015 13:03:24 +0000
From: "Thomas B. Rücker" <thomas@...cker.fi>
To: oss-security@...ts.openwall.com
Subject: CVE Request for Icecast 2.3.3, 2.4.0, 2.4.1, fixed in 2.4.2


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


A new version of Icecast was released, following the discovery of a
remote denial of service vulnerability by Juliane Holzt earlier today.

Affected Icecast versions:
2.3.3(first release with stream_auth)
2.4.0
2.4.1

Fix released in:
2.4.2

We do not release fixes for:
2.3.3: EOL
2.4.0: not necessary, as 2.4.1 was a bugfix release for 2.4.0.


On 04/08/2015 12:52 PM, "Thomas B. Rücker" wrote:
>
> Today we became aware of a bug in the Icecast code handling source
> client URL-authentication and are releasing a security fix.
> The bug was discovered by Juliane Holzt, who we'd like to thank for
> bringing this to our attention and providing us with further details.
>
[...]
> The bug can only be triggered if "stream_auth" is being used, for example:
> <mount>
>   <mount-name>/test.ogg</mount-name>
>   <authentication type="url">
>     <option name="stream_auth" value="http://localhost/auth"/>
>   </authentication>
> </mount>
>
> This means, that all installations that use a default configuration are
> NOT affected.The default configuration only uses <source-password>.
> Neither are simple mountpoints affected that use <password>.
>
> A workaround, if installing an updated package is not possible, is to
> disable "stream_auth"and use <password> instead.
>
> As far as we understand the bug only leads to a simple remote denial of
> service. The underlying issue is a null pointer dereference. For
> clarity: No remote code execution should be possible, server just
segfaults.
>
> Proof of concept:
> curl "http://example.org:8000/admin/killsource?mount=/test.ogg"
> If the server is configured as above, then it will segfault.A source
> client does not need to be connected to that mount point.
> As Juliane points out: "This only happens when making a request WITHOUT
> login credentials."
> This means, that sadly exploiting this does not require any
> authentication, just the knowledge of a mount point configured with
> stream_auth.
>
> Original Debian bug report:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782120
>
> Xiph.org ticket:
> https://trac.xiph.org/ticket/2191
>
> Sources:
> http://downloads.xiph.org/releases/icecast/icecast-2.4.2.tar.gz
> SHA256 aa1ae2fa364454ccec61a9247949d19959cb0ce1b044a79151bf8657fd673f4f
> git-tag: release-2.4.2
>
> As usual there are up to date packages available for most mainstream
> distributions. We've moved from my personal project to an official
> Xiph.org project on openSUSE OBS:
> https://build.opensuse.org/package/show/multimedia:xiph/icecast
> Individual repositories are here:
>
> A copy of the openSUSE OBS multimedia signing key is here:
> http://icecast.org/multimedia-obs.key
>
> The Windows version will be updated later today.
>
[...]
> We are requesting a CVE ID through oss-security and I will update the
> ticket once we have received it.

Thanks in advance


Thomas B. Ruecker

Icecast maintainer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlUlJxsACgkQfkVKO9VkYGno+QCeMgppXgELGbuU8asfEKUH+yn2
XZkAnAx2j9qJPTNOb8+FMnMe5TwLWdYI
=f+Dp
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.