Debian Bug report logs -
#770222
icecast2: CVE-2014-9018: on-connect scripts: icecast can leak output to attentive sources
Reported by: Sven Herzberg <sven.herzberg@cluepunk.com>
Date: Wed, 19 Nov 2014 20:57:01 UTC
Severity: critical
Tags: security, upstream
Found in versions icecast2/2.4.0-1, icecast2/2.4.0-1~bpo70+1
Fixed in version icecast2/2.4.0-1.1
Done: Simon Richter <sjr@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
:
Bug#770222
; Package icecast2
.
(Wed, 19 Nov 2014 20:57:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Sven Herzberg <sven.herzberg@cluepunk.com>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
.
(Wed, 19 Nov 2014 20:57:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: icecast2
Version: 2.4.0-1~bpo70+1
Severity: critical
Tags: security upstream
Justification: root security hole
Icecast can leak the output of on-connect scripts to source clients by
sending their output via HTTP.
This information-disclosure can contain confidential information if the
administrator of the icecast server did not explicitly check the output
of their scripts. Information contained can include passwords or script
interna helping to possibly exploit weak scripts.
This bug has been reported upstream [1] which fixed it quickly in the bugfix
release 2.4.1 [2]. Please consider upgrading to the latest upstream
version.
[1] https://trac.xiph.org/ticket/2089
[2] http://icecast.org/news/icecast-release-2_4_1/
-- System Information:
Debian Release: 7.7
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.41-042stab094.7 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages icecast2 depends on:
ii adduser 3.113+nmu3
ii debconf [debconf-2.0] 1.5.49
ii libc6 2.13-38+deb7u6
ii libcurl3-gnutls 7.26.0-1+wheezy11
ii libogg0 1.3.0-4
ii libspeex1 1.2~rc1-7
ii libtheora0 1.1.1+dfsg.1-3.1
ii libvorbis0a 1.3.2-1.3
ii libxml2 2.8.0+dfsg1-7+wheezy2
ii libxslt1.1 1.1.26-14.1
icecast2 recommends no packages.
Versions of packages icecast2 suggests:
pn ices2 <none>
-- Configuration Files:
/etc/default/icecast2 changed [not included]
/etc/icecast2/icecast.xml [Errno 13] Keine Berechtigung: u'/etc/icecast2/icecast.xml'
-- debconf information excluded
Marked as found in versions icecast2/2.4.0-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Wed, 19 Nov 2014 21:54:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
:
Bug#770222
; Package icecast2
.
(Wed, 19 Nov 2014 23:33:05 GMT) (full text, mbox, link).
Acknowledgement sent
to mmcallis@redhat.com
:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
.
(Wed, 19 Nov 2014 23:33:05 GMT) (full text, mbox, link).
Message #12 received at 770222@bugs.debian.org (full text, mbox, reply):
Good morning,
It was reported that Icecast could possibly leak the contents of
on-connect scripts to clients, which may contain sensitive information.
This issue has been fixed in the 2.4.1 release:
http://icecast.org/news/icecast-release-2_4_1/
"Fix on-connect and on-disconnect script STDIN/STDOUT/STDERR corruption
due to shared file descriptors."
References:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770222
https://trac.xiph.org/ticket/2089
Cheers,
--
Murray McAllister / Red Hat Product Security
https://bugzilla.redhat.com/show_bug.cgi?id=1165880
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
:
Bug#770222
; Package icecast2
.
(Thu, 20 Nov 2014 15:00:04 GMT) (full text, mbox, link).
Acknowledgement sent
to cve-assign@mitre.org
:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
.
(Thu, 20 Nov 2014 15:00:04 GMT) (full text, mbox, link).
Message #17 received at 770222@bugs.debian.org (full text, mbox, reply):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> It was reported that Icecast could possibly leak the contents of
> on-connect scripts to clients, which may contain sensitive information.
> This issue has been fixed in the 2.4.1 release:
> "Fix on-connect and on-disconnect script STDIN/STDOUT/STDERR corruption
> due to shared file descriptors."
> Information contained can include passwords
> http://icecast.org/news/icecast-release-2_4_1/
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770222
> https://trac.xiph.org/ticket/2089
> https://trac.xiph.org/ticket/2087
> https://trac.xiph.org/changeset/19308
Use CVE-2014-9018.
- --
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)
iQEcBAEBAgAGBQJUbf+QAAoJEKllVAevmvmsB/QH/iv2tkycZVO3mWFqsEkkNWSj
v9B9xhVZzCGKnL3WU/89w6jszoCZfoJXA/kUPwnOzIyl2OpJNvHAKyRcONTo8gu8
rBpYYl2id90Xf4DEJucKjJFeMzo6q1BIxQAtOPro5VMBYZ+EC7Ups9AO0iMxzwr+
g9lusgsVy6jOEb+aeng3SX2GCgnwAv+SZ78wipPuBnxyO6Ec8W++lHOdB+7SDY/J
6A38oMJstLVy4PUSiHfNjK71Ej7m1Hx++mk3cMPXEINJh4dV9LcJEeAoANAePMma
gRwboepBmq5FDDsV099VPfqMB4XQli3svZEjdkUCbPhjl1D4dj8s74i0uF9GGyI=
=EjxT
-----END PGP SIGNATURE-----
Changed Bug title to 'icecast2: CVE-2014-9018: on-connect scripts: icecast can leak output to attentive sources' from 'icecast2: on-connect scripts: icecast can leak output to attentive sources'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 20 Nov 2014 15:06:10 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
:
Bug#770222
; Package icecast2
.
(Sun, 23 Nov 2014 19:24:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Simon Richter <Simon.Richter@hogyros.de>
:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
.
(Sun, 23 Nov 2014 19:24:10 GMT) (full text, mbox, link).
Message #24 received at 770222@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
diff -Nru icecast2-2.4.0/debian/changelog icecast2-2.4.0/debian/changelog
--- icecast2-2.4.0/debian/changelog 2014-09-01 17:03:14.000000000 +0200
+++ icecast2-2.4.0/debian/changelog 2014-11-23 20:04:08.000000000 +0100
@@ -1,3 +1,11 @@
+icecast2 (2.4.0-1.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Include patchset 19313 (close file handles for external scripts).
+ (Closes: #770222)
+
+ -- Simon Richter <sjr@debian.org> Sun, 23 Nov 2014 20:02:58 +0100
+
icecast2 (2.4.0-1) unstable; urgency=medium
* Imported Upstream version 2.4.0
diff -Nru
icecast2-2.4.0/debian/patches/0001-disconnects_stdio_of_on_dis_connect_scripts_from_random_filehandles
icecast2-2.4.0/debian/patches/0001-disconnects_stdio_of_on_dis_connect_scripts_from_random_filehandles
---
icecast2-2.4.0/debian/patches/0001-disconnects_stdio_of_on_dis_connect_scripts_from_random_filehandles
1970-01-01 01:00:00.000000000 +0100
+++
icecast2-2.4.0/debian/patches/0001-disconnects_stdio_of_on_dis_connect_scripts_from_random_filehandles
2014-11-23 20:07:33.000000000 +0100
@@ -0,0 +1,80 @@
+Index: icecast2-2.4.0/src/source.c
+===================================================================
+--- icecast2-2.4.0.orig/src/source.c
++++ icecast2-2.4.0/src/source.c
+@@ -34,6 +34,12 @@
+ #define snprintf _snprintf
+ #endif
+
++#ifndef _WIN32
++/* for __setup_empty_script_environment() */
++#include <sys/stat.h>
++#include <fcntl.h>
++#endif
++
+ #include "thread/thread.h"
+ #include "avl/avl.h"
+ #include "httpp/httpp.h"
+@@ -1311,6 +1317,34 @@ void source_client_callback (client_t *c
+
+
+ #ifndef _WIN32
++/* this sets up the new environment for script execution.
++ * We ignore most failtures as we can not handle them anyway.
++ */
++static inline void __setup_empty_script_environment(void) {
++ int i;
++
++ /* close at least the first 1024 handles */
++ for (i = 0; i < 1024; i++)
++ close(i);
++
++ /* open null device */
++ i = open("/dev/null", O_RDWR);
++ if (i != -1) {
++ /* attach null device to stdin, stdout and stderr */
++ if (i != 0)
++ dup2(i, 0);
++ if (i != 1)
++ dup2(i, 1);
++ if (i != 2)
++ dup2(i, 2);
++
++ /* close null device */
++ if (i > 2)
++ close(i);
++ }
++}
++#endif
++
+ static void source_run_script (char *command, char *mountpoint)
+ {
+ pid_t pid, external_pid;
+@@ -1326,10 +1360,15 @@ static void source_run_script (char *com
+ ERROR2 ("Unable to fork %s (%s)", command,
strerror (errno));
+ break;
+ case 0: /* child */
++ if (access(command, R_OK|X_OK) != 0) {
++ ERROR2 ("Unable to run command %s (%s)",
command, strerror(errno));
++ exit(1);
++ }
+ DEBUG1 ("Starting command %s", command);
+- execl (command, command, mountpoint, (char *)NULL);
+- ERROR2 ("Unable to run command %s (%s)", command,
strerror (errno));
+- exit(0);
++ __setup_empty_script_environment();
++ /* consider to add action here as well */
++ execl(command, command, mountpoint, (char *)NULL);
++ exit(1);
+ default: /* parent */
+ break;
+ }
+@@ -1342,8 +1381,6 @@ static void source_run_script (char *com
+ break;
+ }
+ }
+-#endif
+-
+
+ static void *source_fallback_file (void *arg)
+ {
diff -Nru icecast2-2.4.0/debian/patches/series
icecast2-2.4.0/debian/patches/series
--- icecast2-2.4.0/debian/patches/series 1970-01-01
01:00:00.000000000 +0100
+++ icecast2-2.4.0/debian/patches/series 2014-11-23
19:52:21.000000000 +0100
@@ -0,0 +1 @@
+0001-disconnects_stdio_of_on_dis_connect_scripts_from_random_filehandles
[signature.asc (application/pgp-signature, attachment)]
Reply sent
to Simon Richter <sjr@debian.org>
:
You have taken responsibility.
(Wed, 26 Nov 2014 19:36:08 GMT) (full text, mbox, link).
Notification sent
to Sven Herzberg <sven.herzberg@cluepunk.com>
:
Bug acknowledged by developer.
(Wed, 26 Nov 2014 19:36:08 GMT) (full text, mbox, link).
Message #29 received at 770222-close@bugs.debian.org (full text, mbox, reply):
Source: icecast2
Source-Version: 2.4.0-1.1
We believe that the bug you reported is fixed in the latest version of
icecast2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 770222@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon Richter <sjr@debian.org> (supplier of updated icecast2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 23 Nov 2014 20:02:58 +0100
Source: icecast2
Binary: icecast2
Architecture: source amd64
Version: 2.4.0-1.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Simon Richter <sjr@debian.org>
Description:
icecast2 - streaming media server
Closes: 770222
Changes:
icecast2 (2.4.0-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Include patchset 19313 (close file handles for external scripts).
(Closes: #770222)
Checksums-Sha1:
f07815e8f3a5e224586a07682b810175b6b4b8a0 1795 icecast2_2.4.0-1.1.dsc
4afe6209220fcbde5299dd9988987ce016eeb9d7 29244 icecast2_2.4.0-1.1.debian.tar.xz
32ca9d8e32f9acde56950d2c49550c322e219d0b 277488 icecast2_2.4.0-1.1_amd64.deb
Checksums-Sha256:
149ac55f0b9f687f8c7745b7441b4c6f264407a41b6493e884ac1fbc2b97648b 1795 icecast2_2.4.0-1.1.dsc
92d4df3614f535ab765954602c95318b680979051dda8b88b86c0f07d5fe6cf9 29244 icecast2_2.4.0-1.1.debian.tar.xz
4db127a84a19aaf48ace2604e529613e6d7e03b537adb129dff395c42d8ac697 277488 icecast2_2.4.0-1.1_amd64.deb
Files:
ac0e53e427e89add56022d383dece46a 1795 sound optional icecast2_2.4.0-1.1.dsc
85bdb6502864cc6371854ee6ccf27da1 29244 sound optional icecast2_2.4.0-1.1.debian.tar.xz
f0bb99682fa75d1fc9511f4e382cf2ef 277488 sound optional icecast2_2.4.0-1.1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iJwEAQECAAYFAlRyMQ8ACgkQ0sfeulffv7v3PQP/X2MDVYx6lr7oooJvtMK+iB92
amqjkoEqv4srmN8twhZw5vvhGn6knL2KL5pJAXhuoruukKLlP4I4G3APV6klWwb1
mZF4l832t9/8BXDsKPWyyovFextsLFQxwvzRwQtZKz+H5ow+Zwvp22U6UZ5xgpb9
yahs+YXSlxeQvZ0AKzg=
=4Bkj
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 30 Dec 2014 07:27:16 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:28:08 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.