[icecast-dev] URGENT: security exploit fix
Jack Moffitt
jack at xiph.org
Wed Apr 10 14:49:27 PDT 2002
To all users:
The recently exploits announced at bugtraq can be fixed by the following
patch. This patch should fix a few other potential holes as well, and I
will post a followup patch soon that is even more thorough.
Note: this exploit would give the attacker priviledges of the user
running icecast. If you are running icecast as a normal user account or
as root, this would be a good time to run it as nobody or some other
unpriveledged account.
Anyone running icecast as root better upgrade fast and do a search for
rootkits or other odd behaviors on their systems.
Regards,
jack.
----- Forwarded message from Jack Moffitt <jack at shredder.sneakyninja.com> -----
Date: Wed, 10 Apr 2002 14:36:27 -0700 (PDT)
From: jack at shredder.sneakyninja.com (Jack Moffitt)
To: cvs at icecast.org
Subject: cvs commit: icecast/src avl_functions.c source.c
X-Spam-Status: No, hits=-3.2 required=10.0 tests=UNIFIED_PATCH,NO_MX_FOR_FROM version=2.11
jack 02/04/10 14:36:27
Modified: src avl_functions.c source.c
Log:
Fix security exploit (icx.c) that exploited a buffer overflow in the alias
logic.
Revision Changes Path
1.9 +4 -4 icecast/src/avl_functions.c
Index: avl_functions.c
===================================================================
RCS file: /cvsroot/icecast/src/avl_functions.c,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- avl_functions.c 26 May 2000 15:47:55 -0000 1.8
+++ avl_functions.c 10 Apr 2002 21:36:27 -0000 1.9
@@ -156,8 +156,8 @@
write_log (LOG_DEFAULT, "WARNING: compare_relays() called with NULL pointers!");
}
- sprintf (cfirst, "%s:%d%s", r1->req.host, r1->req.port, r1->req.path);
- sprintf (csecond, "%s:%d%s", r2->req.host, r2->req.port, r2->req.path);
+ snprintf (cfirst, BUFSIZE, "%s:%d%s", r1->req.host, r1->req.port, r1->req.path);
+ snprintf (csecond, BUFSIZE, "%s:%d%s", r2->req.host, r2->req.port, r2->req.path);
return ice_strcmp (cfirst, csecond);
}
@@ -188,8 +188,8 @@
return -1;
}
- sprintf (full, "%s:%d%s", a1->name->host, a1->name->port, a1->name->path);
- sprintf (full2, "%s:%d%s", a2->name->host, a2->name->port, a2->name->path);
+ snprintf (full, BUFSIZE, "%s:%d%s", a1->name->host, a1->name->port, a1->name->path);
+ snprintf (full2, BUFSIZE, "%s:%d%s", a2->name->host, a2->name->port, a2->name->path);
return ice_strcmp (full, full2);
}
<p><p>1.35 +1 -1 icecast/src/source.c
Index: source.c
===================================================================
RCS file: /cvsroot/icecast/src/source.c,v
retrieving revision 1.34
retrieving revision 1.35
diff -u -r1.34 -r1.35
--- source.c 7 Aug 2001 19:16:14 -0000 1.34
+++ source.c 10 Apr 2002 21:36:27 -0000 1.35
@@ -608,7 +608,7 @@
xa_debug (1, "DEBUG: Search local mount points");
- sprintf(pathbuf, "%s:%d%s", req->host[0] ? req->host : "localhost", req->port, req->path);
+ snprintf(pathbuf, BUFSIZE, "%s:%d%s", req->host[0] ? req->host : "localhost", req->port, req->path);
while ((con = avl_traverse(info.sources, &trav)) != NULL)
{
<p><p><p>----- End forwarded message -----
--- >8 ----
List archives: http://www.xiph.org/archives/
icecast project homepage: http://www.icecast.org/
To unsubscribe from this list, send a message to 'icecast-dev-request at xiph.org'
containing only the word 'unsubscribe' in the body. No subject is needed.
Unsubscribe messages sent to the list will be ignored/filtered.
More information about the Icecast-dev
mailing list