icecast2: CVE-2018-18820

Debian Bug report logs - #912611
icecast2: CVE-2018-18820

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: icecast2: CVE-2018-18820

Date: Thu, 01 Nov 2018 21:54:52 +0100

Source: icecast2
Version: 2.4.3-3
Severity: grave
Tags: patch security upstream
Justification: user security hole
Forwarded: https://gitlab.xiph.org/xiph/icecast-server/issues/2342
Control: found -1 2.4.2-1

Hi,

The following vulnerability was published for icecast2.

CVE-2018-18820[0]:
buffer overflow in url-auth

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-18820
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18820

Please adjust the affected versions in the BTS as needed.



-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.18.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Message #12 received at 912611@bugs.debian.org (full text, mbox, reply):

From: Paul Martin <pm@debian.org>

To: 912611@bugs.debian.org

Subject: New upstream available

Date: Fri, 2 Nov 2018 00:31:06 +0000

Upstream Bug: https://gitlab.xiph.org/xiph/icecast-server/issues/2342

https://gitlab.xiph.org/xiph/icecast-server/blob/release-2.4.4/ChangeLog

## Fixes

-   Fix buffer overflows in URL auth code, [CVE-2018-18820]. [#2342]
    * This security issue affects all Icecast servers running version
      2.4.0, 2.4.1, 2.4.2 or 2.4.3 if there is a "mount" definition
      that enables URL authentication.
    * A malicious client could send long HTTP headers, leading to
      a buffer overflow and potential remote code execution.
    * The problematic code was introduced in version 2.4.0 and
      was now brought to our attention by Nick Rolfe of
      Semmle Security Research Team https://lgtm.com/security
-   Worked around buffer overflows in URL auth's cURL interface.
    * We currently do not believe that this issue is exploitable.
      It would require a malicious URL authentication back end server
      to send a crafted payload and make it through libcURL.
    * If someone manages, please let us know.
-   Do not report hashed user passworts in user list.
    There is no practical reason to show this to the administrator
    and it improves security.
-   Fixed segfault in htpasswd auth if no filename is set
-   Fixed a segfault when xsltApplyStylesheet() returns error
-   Do not segfault on malformed Opus streams
-   Global listener count could be negative under certain circumstances.
    Thanks a lot to Simeon Völkel (0xBD4E031CDB4043C9) for reporting
    and investigating the bug.
-   Added code to announce Opus streams as such towards yp servers.

http://downloads.xiph.org/releases/icecast/icecast-2.4.4.tar.gz

-- 
Paul Martin <pm@debian.org>

Message #17 received at 912611-close@bugs.debian.org (full text, mbox, reply):

From: Unit 193 <unit193@ubuntu.com>

To: 912611-close@bugs.debian.org

Subject: Bug#912611: fixed in icecast2 2.4.4-1

Date: Fri, 02 Nov 2018 11:09:38 +0000

Source: icecast2
Source-Version: 2.4.4-1

We believe that the bug you reported is fixed in the latest version of
icecast2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 912611@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Unit 193 <unit193@ubuntu.com> (supplier of updated icecast2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 01 Nov 2018 18:07:33 -0400
Source: icecast2
Binary: icecast2
Architecture: source
Version: 2.4.4-1
Distribution: unstable
Urgency: high
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Unit 193 <unit193@ubuntu.com>
Description:
 icecast2   - streaming media server
Closes: 912611
Changes:
 icecast2 (2.4.4-1) unstable; urgency=high
 .
   * New upstream version 2.4.4
     - Fix buffer overflows in URL auth code. #2342
     - Closes: #912611, CVE-2018-18820
   * d/watch: Drop the svn-upgrade call, this hasn't been in svn for a long time.
   * d/gbp.conf: Rename section git-import-orig → import-orig.
Checksums-Sha1:
 44ca56482de27f375892809c8196a2d0a48a8b31 2296 icecast2_2.4.4-1.dsc
 dc1974235e72dfa5006ab4b8bae0380a2f951a36 2360592 icecast2_2.4.4.orig.tar.gz
 2542711dfadcc459a6ad13c9b8e31bc24725faa6 33312 icecast2_2.4.4-1.debian.tar.xz
Checksums-Sha256:
 60101af949917cc0dfff203cf60845d2914fe3d4d77aa20769141d6372c81630 2296 icecast2_2.4.4-1.dsc
 49b5979f9f614140b6a38046154203ee28218d8fc549888596a683ad604e4d44 2360592 icecast2_2.4.4.orig.tar.gz
 f7a07136feddc62f30d6d0ec86c8933a974c6f68c5688f5eb2258770f95e1e09 33312 icecast2_2.4.4-1.debian.tar.xz
Files:
 b1af89aa2e8111aa8c700ba6d173f388 2296 sound optional icecast2_2.4.4-1.dsc
 835c7b571643f6436726a6118defb366 2360592 sound optional icecast2_2.4.4.orig.tar.gz
 60f5093f3dfc63d91d802c2c40374b38 33312 sound optional icecast2_2.4.4-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE94y6B4F7sUmhHTOQafL8UW6nGZMFAlvcKQgACgkQafL8UW6n
GZOEXw/+NiBeOypPV1yf89ktg0KO4yG0cN8lZgX8Oa/V/xTOboYxY0i26kEFPdMt
73qmgfIAJ9YUl5imkfHjlVjUqGeKxJez7Y4wYWgrPlMnMuGDA6IW5GCPRw+oEx/X
y6QHR9EpyfOvFHFi2q1whshELXEmXzR5Q+wNw0go93V+WkMbcBAQEjSYqrwGstbE
MQFyypYOTvBI2d2Xlw+3fzjzZwko3FFjaRuYjRtYxJMWM+3r2nKk9+LurT0/ypb4
Y7xYkl5XR3CkVM3y8GlwyyHX6Mp+fJYJV2ZaMSXaEM511Gl8H6i+n3hnfbKjGYg+
A29ij71Q3rqiITUBsdLZbnDocMYvrFMcepPE/QoEXqkpP2fMq2dkLOhSwPI4gOL+
gtpnAE3REc1K0C8yPC1vgzk3zGNI9IJ+borhi3NAyu6v5qxm5Rm5hFwCRdUytztH
Fp/5r6fngXUK7sf1UEWjYoh5yiu/yP9RlTrSTu58y340QgsWi2dxO47/ZiH2NXuP
H3i63mJ3nJb3jVscr74Qf/1d1NlXyJtlzQhbqE1K432YFCQfDZSgP3sdzitb5974
NfXJDg2SX4mwKxFwO6kSWFg5ja8RREaUT1jucA1l3M5J50fR1D5Ftg7QgzxEuVFm
jF20heAbSoF7Ywi9kgV7VyQg+GjLFPZb78xuV6HkrKntsIepWsI=
=c7mC
-----END PGP SIGNATURE-----

Message #22 received at 912611-close@bugs.debian.org (full text, mbox, reply):

From: Unit 193 <unit193@ubuntu.com>

To: 912611-close@bugs.debian.org

Subject: Bug#912611: fixed in icecast2 2.4.2-1+deb9u1

Date: Sat, 10 Nov 2018 11:17:07 +0000

Source: icecast2
Source-Version: 2.4.2-1+deb9u1

We believe that the bug you reported is fixed in the latest version of
icecast2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 912611@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Unit 193 <unit193@ubuntu.com> (supplier of updated icecast2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 31 Oct 2018 01:26:56 -0400
Source: icecast2
Binary: icecast2
Architecture: source amd64
Version: 2.4.2-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Unit 193 <unit193@ubuntu.com>
Description:
 icecast2   - streaming media server
Closes: 912611
Changes:
 icecast2 (2.4.2-1+deb9u1) stretch-security; urgency=high
 .
   * d/p/CVE-2018-18820.patch:
     - Cherry-pick upstream commits fixing buffer overflow in URL authentication
     - Closes: #912611, CVE-2018-18820
Checksums-Sha1:
 e83d04d09254541b123f94de759941e1a85cc2d9 2351 icecast2_2.4.2-1+deb9u1.dsc
 57a092302ab8aa4993fa280f299c099d25e875a5 2388381 icecast2_2.4.2.orig.tar.gz
 8a27d083c07f667d168a46e897f067decc3b2721 34880 icecast2_2.4.2-1+deb9u1.debian.tar.xz
 0848675c90b1878f4731fa6ff278a2561df4ba6a 353612 icecast2-dbgsym_2.4.2-1+deb9u1_amd64.deb
 8a33ac175d212e01215ee58001ced85b0810f331 8383 icecast2_2.4.2-1+deb9u1_amd64.buildinfo
 52b3f9418ffbffe6ebfc8318de790d67a0d23838 1541780 icecast2_2.4.2-1+deb9u1_amd64.deb
Checksums-Sha256:
 9e452a038f0cc0b8507c1ec410d5596d9fcc9e41be393276ba76f8eb94fc2caf 2351 icecast2_2.4.2-1+deb9u1.dsc
 aa1ae2fa364454ccec61a9247949d19959cb0ce1b044a79151bf8657fd673f4f 2388381 icecast2_2.4.2.orig.tar.gz
 5dc93b6265545dd7d5479a321131cdc409c9c5bcc3619360091141e4bcb732c8 34880 icecast2_2.4.2-1+deb9u1.debian.tar.xz
 99f8761083d313a984bf6ae457fd1b43cd5ddc10a4a87264e4714aa92b036f5e 353612 icecast2-dbgsym_2.4.2-1+deb9u1_amd64.deb
 b3484d9d1328c904d3b4ec418a5626a31bbe5497fdd2d7c640d0c03d79e281e4 8383 icecast2_2.4.2-1+deb9u1_amd64.buildinfo
 59a1f09c76c63ab3b64fc87917e167d2a8df3426fbb655499df1590b52aaec2a 1541780 icecast2_2.4.2-1+deb9u1_amd64.deb
Files:
 f754a9b188085e511c369157a7728621 2351 sound optional icecast2_2.4.2-1+deb9u1.dsc
 55947c83d31dfcbbede58c9521c676f4 2388381 sound optional icecast2_2.4.2.orig.tar.gz
 902a5675ff489d5af8826cbbda99778f 34880 sound optional icecast2_2.4.2-1+deb9u1.debian.tar.xz
 5702dd5ac8b9244c820f7feb96192a45 353612 debug extra icecast2-dbgsym_2.4.2-1+deb9u1_amd64.deb
 8ee841e92ded6ce4e730ffa6a7298e41 8383 sound optional icecast2_2.4.2-1+deb9u1_amd64.buildinfo
 ebd357884a35e8f3f68607e740e3e11e 1541780 sound optional icecast2_2.4.2-1+deb9u1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlveLBoACgkQEMKTtsN8
TjZv5xAAmDBOPtmJ9LReRpO64jkqJcrzlNJj5B32APWgcZW+I0p6AyC87en7bjJW
bTzxsMbdRUqH4khsCuXbDM6TupwMLbukiRyA5KBE0eQZmbeFN4D/kyeGiP0yYT76
5xmAI+zfTKa/5Hxnz9XWC+W65qnhmcHvLbtrFUTvczidvOSWl8dsQbnYRj4rWBVU
kYWgUx8kv/2bdkX9z+NnnXcZkmMhAlJbw0rRva6nSFss8SuCUkFzSLji9KgqL0Rp
iX8i4GawHIyQnG8SGkkvUJXZlHggIeqcHDLTV3Bj7lsdpNinLwC8C+y699Ci6Xqb
Q18K4qdnXuvq0LUnnGiSvky7+8EoqInHifPaH4qOsF3v81KGV2+Pu6foZ1Dv2VK1
5TIRNTOi0lOvKgYOeyCQZsFGDN7owK+k57XOS7SGQH/1PU+ZMbwHG3xmX7qm9Vlx
t02vd4RBvkvcASX1i9R/iPlN7mYw5l+Sefz4skgU8SvfdhE2kaT3E58G+nRueVBQ
SPdj1LDJvpUEh79ezkaC0cYXH02XUOu/yRtDRFJLYDqyu2llEPYQsT10rY/2CKuG
ZzWzSYNmCykzCFpzjlIqrMVjnzwFPyk0VIEsv7XUG20xjDzpG8u8YyBkYFOYxMar
55RLw6IXWwXYuwOuzpr/lBfse8F6Zr1u0CS6IRaXAoSaYfmANjQ=
=8qn8
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.