[Icecast] Icecast 2.4.2 - security release
"Thomas B. Rücker"
thomas at ruecker.fi
Wed Apr 8 05:52:37 PDT 2015
-----BEGIN PGP SIGNED MESSAGE-----
Today we became aware of a bug in the Icecast code handling source
client URL-authentication and are releasing a security fix.
The bug was discovered by Juliane Holzt, who we'd like to thank for
bringing this to our attention and providing us with further details.
Affected Icecast versions:
2.3.3(first release with stream_auth)
Fix released in:
We do not release fixes for:
2.4.0: as 2.4.1 was a bugfix release for 2.4.0.
The bug can only be triggered if "stream_auth" is being used, for example:
<option name="stream_auth" value="http://localhost/auth"/>
This means, that all installations that use a default configuration are
NOT affected.The default configuration only uses <source-password>.
Neither are simple mountpoints affected that use <password>.
A workaround, if installing an updated package is not possible, is to
disable "stream_auth"and use <password> instead.
As far as we understand the bug only leads to a simple remote denial of
service. The underlying issue is a null pointer dereference. For
clarity: No remote code execution should be possible, server just segfaults.
Proof of concept:
If the server is configured as above, then it will segfault.A source
client does not need to be connected to that mount point.
As Juliane points out: "This only happens when making a request WITHOUT
This means, that sadly exploiting this does not require any
authentication, just the knowledge of a mount point configured with
Original Debian bug report:
As usual there are up to date packages available for most mainstream
distributions. We've moved from my personal project to an official
Xiph.org project on openSUSE OBS:
Individual repositories are here:
A copy of the openSUSE OBS multimedia signing key is here:
The Windows version will be updated later today.
Known issues (as in 2.4.1)
* status-json.xsl format differs if one source client is
connected and if more than one client is connected.
Workaround: e.g. connect dummy source(s).
* HTTP PUT implementation currently doesn’t support
chunked encoding yet.
* HTTP PUT with “Expect: 100-Continue” receives first a “100” and
soon after a “200”, instead of the “200” at end of transmission.
* Caution should be exercised when using <on-connect> or
<on-disconnect>, as there is a small chance of stream file
descriptors being mixed up with script file descriptors, if the
FD numbers go above 1024. This will be further addressed in the
next Icecast release.
* Don’t use comments inside <http-headers> as it will prevent
processing of further <header> tags.
* Web interface shows Login when using just stream_auth.
We are requesting a CVE ID through oss-security and I will update the
ticket once we have received it.
PS: The OBS package builds are somewhat slow today, so it might still
take a while until the last updated packages have been published to the
repositories. I didn't want to delay the release announcement further.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
More information about the Icecast