Re: CVE Request for Icecast 2.3.3, 2.4.0, 2.4.1, fixed in 2.4.2

["Thomas B. Rücker" <thomas () ruecker fi>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[resending as it seems Thunderbird/Enigmail breaks my signature]

A new version of Icecast was released, following the discovery of a
remote denial of service vulnerability by Juliane Holzt earlier today.

Affected Icecast versions:
2.3.3(first release with stream_auth)
2.4.0
2.4.1

Fix released in:
2.4.2

We do not release fixes for:
2.3.3: EOL
2.4.0: not necessary, as 2.4.1 was a bugfix release for 2.4.0.


On 04/08/2015 12:52 PM, "Thomas B. Rücker" wrote:
> Today we became aware of a bug in the Icecast code handling source
> client URL-authentication and are releasing a security fix.
> The bug was discovered by Juliane Holzt, who we'd like to thank for
> bringing this to our attention and providing us with further details.
[...]
> The bug can only be triggered if "stream_auth" is being used,
> for example:
> <mount>
>   <mount-name>/test.ogg</mount-name>
>   <authentication type="url">
>     <option name="stream_auth" value="http://localhost/auth"/>
>   </authentication>
> </mount>
>
> This means, that all installations that use a default configuration are
> NOT affected.The default configuration only uses <source-password>.
> Neither are simple mountpoints affected that use <password>.
>
> A workaround, if installing an updated package is not possible, is to
> disable "stream_auth"and use <password> instead.
>
> As far as we understand the bug only leads to a simple remote denial of
> service. The underlying issue is a null pointer dereference. For
> clarity: No remote code execution should be possible, server just
> segfaults.
>
> Proof of concept:
> curl "http://example.org:8000/admin/killsource?mount=/test.ogg";
> If the server is configured as above, then it will segfault.A source
> client does not need to be connected to that mount point.
> As Juliane points out: "This only happens when making a request WITHOUT
> login credentials."
> This means, that sadly exploiting this does not require any
> authentication, just the knowledge of a mount point configured with
> stream_auth.
>
> Original Debian bug report:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782120
>
> Xiph.org ticket:
> https://trac.xiph.org/ticket/2191
>
> Sources:
> http://downloads.xiph.org/releases/icecast/icecast-2.4.2.tar.gz
> SHA256 aa1ae2fa364454ccec61a9247949d19959cb0ce1b044a79151bf8657fd673f4f
> git-tag: release-2.4.2
[...]
> We are requesting a CVE ID through oss-security and I will update the
> ticket once we have received it.


Thanks in advance


Thomas B. Ruecker

Icecast maintainer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlUlNZIACgkQfkVKO9VkYGnSegCaAyvKVDcNyp1tNROYstDD5cuB
4KcAnil31ZFpwYLKoiAm9AwJdgtknjPn
=cj1f
-----END PGP SIGNATURE-----