Jack Moffitt:> > securityfocus mailing list (bugtraq) today (and several month before) > > about a remote buffer overflow in icecast v1.3.10 (which seems to be a > > Point me to a url at bugtraq where I can read a description of the > problem.i've the today's email only in the web archive, here's a copy. don't know if it's old news... u. <p>-----BEGIN PGP SIGNED MESSAGE----- - ------------------------------------------------------------------------ Debian Security Advisory DSA-089-2 security@debian.org http://www.debian.org/security/ Wichert Akkerman January 21, 2002 - ------------------------------------------------------------------------ <p>Package : icecast-server Problem type : remote exploit (and others) Debian-specific: no In Debian Security Advisory DSA-089-1 we reported that icecast-server has several security problems. For details please see that advisory. The i386 package mention in the DSA-089-1 advisory was incorrectly compiled and will not run on Debian GNU/Linux potato machines. This has been corrected in version 1.3.10-1.1. <p>wget url will fetch the file for you dpkg -i file.deb will install the referenced file. <p>Debian GNU/Linux 2.2 alias potato - --------------------------------- Potato was released for alpha, arm, i386, m68k, powerpc and sparc. This advisory only updates the i386 package. Intel IA-32 architecture: http://security.debian.org/dists/stable/updates/main/binary-i386/icecast-server_1.3.10-1.1_i386.deb MD5 checksum: 6777c4acf5c95daf691597ed5b9ee502 This package will be moved into the stable distribution on its next revision. For not yet released architectures please refer to the appropriate directory ftp://ftp.debian.org/debian/dists/sid/binary-$arch/ . <p><p><p><p>--- >8 ---- List archives: http://www.xiph.org/archives/ icecast project homepage: http://www.icecast.org/ To unsubscribe from this list, send a message to 'icecast-request@xiph.org' containing only the word 'unsubscribe' in the body. No subject is needed. Unsubscribe messages sent to the list will be ignored/filtered.
I'm having trouble getting ices-0.2.2 installed with lame support. I've tried to compile it with lame 3.87, 3.88 and 3.89 all with no success. It would appear that lame changed the way some of the functions are called (and/or eliminated some?). In any case the output from gmake: gmake[3]: Entering directory `/usr/local/src/ices-0.2.2/src' gcc -DHAVE_CONFIG_H -I. -I. -I.. -DICES_ETCDIR=\"/usr/local/icecast/etc\" -DICES_MODULEDIR=\"/usr/local/icecast/etc/modules\" -I../resolver -I../thread -I../libshout -I/usr/libdata/perl/5.00503/mach/CORE -I/usr/local/include/libxml2 -I/usr/local/include/libxml2/libxml -g -O2 -Wall -c reencode.c reencode.c: In function `ices_reencode_initialize': reencode.c:56: warning: implicit declaration of function `get_lame_version' reencode.c: In function `ices_reencode_shutdown': reencode.c:82: warning: implicit declaration of function `lame_close' reencode.c: In function `ices_reencode_flush': reencode.c:118: warning: implicit declaration of function `lame_encode_flush' reencode.c: In function `reencode_lame_init': reencode.c:144: too few arguments to function `lame_init' reencode.c:144: void value not ignored as it ought to be reencode.c:153: warning: implicit declaration of function `lame_set_brate' reencode.c:155: warning: implicit declaration of function `lame_set_num_channels' reencode.c:157: warning: implicit declaration of function `lame_set_out_samplerate' reencode.c:158: warning: implicit declaration of function `lame_set_original' reencode.c:168: void value not ignored as it ought to be gmake[3]: *** [reencode.o] Error 1 gmake[3]: Leaving directory `/usr/local/src/ices-0.2.2/src' gmake[2]: *** [all-recursive] Error 1 gmake[2]: Leaving directory `/usr/local/src/ices-0.2.2/src' gmake[1]: *** [all-recursive] Error 1 gmake[1]: Leaving directory `/usr/local/src/ices-0.2.2' gmake: *** [all-recursive-am] Error 2 I looked through the offending source (reencode.c) and lame.h and tried to reconcile the two just to have the resulting code segfault as soon as it actually tried to reencode something. Does anyone have this working? I'm running FreeBSD 4.4-stable. -Mark <p><p>--- >8 ---- List archives: http://www.xiph.org/archives/ icecast project homepage: http://www.icecast.org/ To unsubscribe from this list, send a message to 'icecast-request@xiph.org' containing only the word 'unsubscribe' in the body. No subject is needed. Unsubscribe messages sent to the list will be ignored/filtered.
Hi: IIRC, Debian Potato had an ancient version of icecast which they fixed by updating to 1.3.10. Why they didn't go to 1.3.11 is beyond me. Geoff. <p>--- >8 ---- List archives: http://www.xiph.org/archives/ icecast project homepage: http://www.icecast.org/ To unsubscribe from this list, send a message to 'icecast-request@xiph.org' containing only the word 'unsubscribe' in the body. No subject is needed. Unsubscribe messages sent to the list will be ignored/filtered.
> IIRC, Debian Potato had an ancient version of icecast which they fixed by > updating to 1.3.10. Why they didn't go to 1.3.11 is beyond me.Now I remember this. 1.3.11 didn't have any major security fixes, so dmz (the debian icecast maintainer) could only really bump it to 1.3.10. dmz, feel free to correct me if I'm wrong. jack. --- >8 ---- List archives: http://www.xiph.org/archives/ icecast project homepage: http://www.icecast.org/ To unsubscribe from this list, send a message to 'icecast-request@xiph.org' containing only the word 'unsubscribe' in the body. No subject is needed. Unsubscribe messages sent to the list will be ignored/filtered.