Icecast 2.4.4 - CVE-2018-18820 - buffer overflow in url-auth

[Thomas B. Rücker <thomas () ruecker fi>]

We released a new version of Icecast.
It is a security release and we recommend to update all
Icecast installations of versions below 2.4.4 to it.

-   Fix buffer overflows in URL auth code, [CVE-2018-18820]. [#2342]
    * This security issue affects all Icecast servers running version
      2.4.0, 2.4.1, 2.4.2 or 2.4.3 if there is a "mount" definition
      that enables URL authentication.
    * A malicious client could send long HTTP headers, leading to
      a buffer overflow and potential remote code execution.
    * The problematic code was introduced in version 2.4.0 and
      was now brought to our attention by Nick Rolfe of
      Semmle Security Research Team https://lgtm.com/security

https://gitlab.xiph.org/xiph/icecast-server/commit/b21a7283bd1598c5af0bbb250a041ba8198f98f2

-   Worked around buffer overflows in URL auth's cURL interface.
    * We currently do not believe that this issue is exploitable.
      It would require a malicious URL authentication back end server
      to send a crafted payload and make it through libcURL.
    * If someone manages, please let us know.

https://gitlab.xiph.org/xiph/icecast-server/commit/03ea74c04a5966114c2fe66e4e6892d11a68181e

Source: http://downloads.xiph.org/releases/icecast/icecast-2.4.4.tar.gz

[#2342]: https://gitlab.xiph.org/xiph/icecast-server/issues/2342


Thomas B. Ruecker
Icecast maintainer

PS: Default installations are not affected. This is an advanced feature.

Attachment: signature.asc
Description: OpenPGP digital signature