[Icecast-dev] Icecast 2.4.2 - security release
"Thomas B. Rücker"
thomas at ruecker.fi
Wed Apr 8 07:17:20 PDT 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[Resending, as Thunderbird/Enigmail broke the GPG signature]
Today we became aware of a bug in the Icecast code handling source
client URL-authentication and are releasing a security fix.
The bug was discovered by Juliane Holzt, who we'd like to thank for
bringing this to our attention and providing us with further details.
Affected Icecast versions:
2.3.3(first release with stream_auth)
2.4.0
2.4.1
Fix released in:
2.4.2
We do not release fixes for:
2.3.3: EOL
2.4.0: as 2.4.1 was a bugfix release for 2.4.0.
The bug can only be triggered if "stream_auth" is being used, for example:
<mount>
<mount-name>/test.ogg</mount-name>
<authentication type="url">
<option name="stream_auth" value="http://localhost/auth"/>
</authentication>
</mount>
This means, that all installations that use a default configuration are
NOT affected.The default configuration only uses <source-password>.
Neither are simple mountpoints affected that use <password>.
A workaround, if installing an updated package is not possible, is to
disable "stream_auth"and use <password> instead.
As far as we understand the bug only leads to a simple remote denial of
service. The underlying issue is a null pointer dereference. For
clarity: No remote code execution should be possible, server just segfaults.
Proof of concept:
curl "http://example.org:8000/admin/killsource?mount=/test.ogg"
If the server is configured as above, then it will segfault.A source
client does not need to be connected to that mount point.
As Juliane points out: "This only happens when making a request WITHOUT
login credentials."
This means, that sadly exploiting this does not require any
authentication, just the knowledge of a mount point configured with
stream_auth.
Original Debian bug report:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782120
Xiph.org ticket:
https://trac.xiph.org/ticket/2191
Sources:
http://downloads.xiph.org/releases/icecast/icecast-2.4.2.tar.gz
SHA256 aa1ae2fa364454ccec61a9247949d19959cb0ce1b044a79151bf8657fd673f4f
git-tag: release-2.4.2
As usual there are up to date packages available for most mainstream
distributions. We've moved from my personal project to an official
Xiph.org project on openSUSE OBS:
https://build.opensuse.org/package/show/multimedia:xiph/icecast
Individual repositories are here:
A copy of the openSUSE OBS multimedia signing key is here:
http://icecast.org/multimedia-obs.key
The Windows version will be updated later today.
Known issues (as in 2.4.1)
* status-json.xsl format differs if one source client is
connected and if more than one client is connected.
Workaround: e.g. connect dummy source(s).
* HTTP PUT implementation currently doesnâsupport
chunked encoding yet.
* HTTP PUT with âpect: 100-Continueâeceives first a â0ând
soon after a â0âinstead of the â0ât end of transmission.
* Caution should be exercised when using <on-connect> or
<on-disconnect>, as there is a small chance of stream file
descriptors being mixed up with script file descriptors, if the
FD numbers go above 1024. This will be further addressed in the
next Icecast release.
* Donâuse comments inside <http-headers> as it will prevent
processing of further <header> tags.
* Web interface shows Login when using just stream_auth.
We are requesting a CVE ID through oss-security and I will update the
ticket once we have received it.
Thomas Ruecker
Icecast maintainer
PS: The OBS package builds are somewhat slow today, so it might still
take a while until the last updated packages have been published to the
repositories. I didn't want to delay the release announcement further.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlUlOEQACgkQfkVKO9VkYGnuQQCeKicLiXFvqnsTmq/OaIP90SSD
qIcAnjxqla+vSbnRGb3ouQyQBPmTBkcl
=OAVW
-----END PGP SIGNATURE-----
More information about the Icecast-dev
mailing list