[Icecast-dev] Icecast 2.4.2 - security release

["Thomas B. Rücker"]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Today we became aware of a bug in the Icecast code handling source
client URL-authentication and are releasing a security fix.
The bug was discovered by Juliane Holzt, who we'd like to thank for
bringing this to our attention and providing us with further details.

Affected Icecast versions:
2.3.3(first release with stream_auth)
2.4.0
2.4.1

Fix released in:
2.4.2

We do not release fixes for:
2.3.3: EOL
2.4.0: as 2.4.1 was a bugfix release for 2.4.0.

The bug can only be triggered if "stream_auth" is being used, for example:
<mount>
  <mount-name>/test.ogg</mount-name>
  <authentication type="url">
    <option name="stream_auth" value="http://localhost/auth"/>
  </authentication>
</mount>

This means, that all installations that use a default configuration are
NOT affected.The default configuration only uses <source-password>.
Neither are simple mountpoints affected that use <password>.

A workaround, if installing an updated package is not possible, is to
disable "stream_auth"and use <password> instead.

As far as we understand the bug only leads to a simple remote denial of
service. The underlying issue is a null pointer dereference. For
clarity: No remote code execution should be possible, server just segfaults.

Proof of concept:
curl "http://example.org:8000/admin/killsource?mount=/test.ogg"
If the server is configured as above, then it will segfault.A source
client does not need to be connected to that mount point.
As Juliane points out: "This only happens when making a request WITHOUT
login credentials."
This means, that sadly exploiting this does not require any
authentication, just the knowledge of a mount point configured with
stream_auth.

Original Debian bug report:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782120

Xiph.org ticket:
https://trac.xiph.org/ticket/2191

Sources:
http://downloads.xiph.org/releases/icecast/icecast-2.4.2.tar.gz
SHA256 aa1ae2fa364454ccec61a9247949d19959cb0ce1b044a79151bf8657fd673f4f
git-tag: release-2.4.2

As usual there are up to date packages available for most mainstream
distributions. We've moved from my personal project to an official
Xiph.org project on openSUSE OBS:
https://build.opensuse.org/package/show/multimedia:xiph/icecast
Individual repositories are here:

A copy of the openSUSE OBS multimedia signing key is here:
http://icecast.org/multimedia-obs.key

The Windows version will be updated later today.

Known issues (as in 2.4.1)
    * status-json.xsl format differs if one source client is
      connected and if more than one client is connected.
      Workaround: e.g. connect dummy source(s).
    * HTTP PUT implementation currently doesn’t support
      chunked encoding yet.
    * HTTP PUT with “Expect: 100-Continue” receives first a “100” and
      soon after a “200”, instead of the “200” at end of transmission.
    * Caution should be exercised when using <on-connect> or
      <on-disconnect>, as there is a small chance of stream file
      descriptors being mixed up with script file descriptors, if the
      FD numbers go above 1024. This will be further addressed in the
      next Icecast release.
    * Don’t use comments inside <http-headers> as it will prevent
      processing of further <header> tags.
    * Web interface shows Login when using just stream_auth.

We are requesting a CVE ID through oss-security and I will update the
ticket once we have received it.

Thomas Ruecker
Icecast maintainer

PS: The OBS package builds are somewhat slow today, so it might still
take a while until the last updated packages have been published to the
repositories. I didn't want to delay the release announcement further.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlUlJJQACgkQfkVKO9VkYGmWPACfUDcWmK5T6TFV4Q1f9+RZOcDr
vj4An1CBPF2AntVl0jxUfCCBHD7wNcEy
=jRys
-----END PGP SIGNATURE-----