[icecast] URGENT: security exploit fix

Jack Moffitt jack at xiph.org
Wed Apr 10 21:49:27 UTC 2002 


To all users:

The recently exploits announced at bugtraq can be fixed by the following
patch.  This patch should fix a few other potential holes as well, and I
will post a followup patch soon that is even more thorough.

Note: this exploit would give the attacker priviledges of the user
running icecast.  If you are running icecast as a normal user account or
as root, this would be a good time to run it as nobody or some other
unpriveledged account.

Anyone running icecast as root better upgrade fast and do a search for
rootkits or other odd behaviors on their systems.

Regards,
jack.

----- Forwarded message from Jack Moffitt <jack at shredder.sneakyninja.com> -----

Date: Wed, 10 Apr 2002 14:36:27 -0700 (PDT)
From: jack at shredder.sneakyninja.com (Jack Moffitt)
To: cvs at icecast.org
Subject: cvs commit: icecast/src avl_functions.c source.c
X-Spam-Status: No, hits=-3.2 required=10.0 tests=UNIFIED_PATCH,NO_MX_FOR_FROM version=2.11

jack        02/04/10 14:36:27

  Modified:    src      avl_functions.c source.c
  Log:
  Fix security exploit (icx.c) that exploited a buffer overflow in the alias
  logic.

Revision  Changes    Path
1.9       +4 -4      icecast/src/avl_functions.c

Index: avl_functions.c
===================================================================
RCS file: /cvsroot/icecast/src/avl_functions.c,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- avl_functions.c	26 May 2000 15:47:55 -0000	1.8
+++ avl_functions.c	10 Apr 2002 21:36:27 -0000	1.9
@@ -156,8 +156,8 @@
                 write_log (LOG_DEFAULT, "WARNING: compare_relays() called with NULL pointers!");
         }
 
-	sprintf (cfirst, "%s:%d%s", r1->req.host, r1->req.port, r1->req.path);
-	sprintf (csecond, "%s:%d%s", r2->req.host, r2->req.port, r2->req.path);
+	snprintf (cfirst, BUFSIZE, "%s:%d%s", r1->req.host, r1->req.port, r1->req.path);
+	snprintf (csecond, BUFSIZE, "%s:%d%s", r2->req.host, r2->req.port, r2->req.path);
         return ice_strcmp (cfirst, csecond);
 }
 
@@ -188,8 +188,8 @@
                 return -1;
         }
         
-	sprintf (full, "%s:%d%s", a1->name->host, a1->name->port, a1->name->path);
-	sprintf (full2, "%s:%d%s", a2->name->host, a2->name->port, a2->name->path);
+	snprintf (full, BUFSIZE, "%s:%d%s", a1->name->host, a1->name->port, a1->name->path);
+	snprintf (full2, BUFSIZE, "%s:%d%s", a2->name->host, a2->name->port, a2->name->path);
 
         return ice_strcmp (full, full2);
 }

<p><p>1.35      +1 -1      icecast/src/source.c

Index: source.c
===================================================================
RCS file: /cvsroot/icecast/src/source.c,v
retrieving revision 1.34
retrieving revision 1.35
diff -u -r1.34 -r1.35
--- source.c	7 Aug 2001 19:16:14 -0000	1.34
+++ source.c	10 Apr 2002 21:36:27 -0000	1.35
@@ -608,7 +608,7 @@
 
         xa_debug (1, "DEBUG: Search local mount points");
 
-	sprintf(pathbuf, "%s:%d%s", req->host[0] ? req->host : "localhost", req->port, req->path);
+	snprintf(pathbuf, BUFSIZE, "%s:%d%s", req->host[0] ? req->host : "localhost", req->port, req->path);
 
         while ((con = avl_traverse(info.sources, &trav)) != NULL) 
         {

<p><p><p>----- End forwarded message -----

--- >8 ----
List archives:  http://www.xiph.org/archives/
icecast project homepage: http://www.icecast.org/
To unsubscribe from this list, send a message to 'icecast-request at xiph.org'
containing only the word 'unsubscribe' in the body.  No subject is needed.
Unsubscribe messages sent to the list will be ignored/filtered.

More information about the Icecast mailing list