icecast2: CVE-2014-9018: on-connect scripts: icecast can leak output to attentive sources

Debian Bug report logs - #770222
icecast2: CVE-2014-9018: on-connect scripts: icecast can leak output to attentive sources

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Sven Herzberg <sven.herzberg@cluepunk.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: icecast2: on-connect scripts: icecast can leak output to attentive sources

Date: Wed, 19 Nov 2014 21:15:10 +0100

Package: icecast2
Version: 2.4.0-1~bpo70+1
Severity: critical
Tags: security upstream
Justification: root security hole

Icecast can leak the output of on-connect scripts to source clients by
sending their output via HTTP.

This information-disclosure can contain confidential information if the
administrator of the icecast server did not explicitly check the output
of their scripts. Information contained can include passwords or script
interna helping to possibly exploit weak scripts.

This bug has been reported upstream [1] which fixed it quickly in the bugfix
release 2.4.1 [2]. Please consider upgrading to the latest upstream
version.

[1] https://trac.xiph.org/ticket/2089
[2] http://icecast.org/news/icecast-release-2_4_1/

-- System Information:
Debian Release: 7.7
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.41-042stab094.7 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages icecast2 depends on:
ii  adduser                3.113+nmu3
ii  debconf [debconf-2.0]  1.5.49
ii  libc6                  2.13-38+deb7u6
ii  libcurl3-gnutls        7.26.0-1+wheezy11
ii  libogg0                1.3.0-4
ii  libspeex1              1.2~rc1-7
ii  libtheora0             1.1.1+dfsg.1-3.1
ii  libvorbis0a            1.3.2-1.3
ii  libxml2                2.8.0+dfsg1-7+wheezy2
ii  libxslt1.1             1.1.26-14.1

icecast2 recommends no packages.

Versions of packages icecast2 suggests:
pn  ices2  <none>

-- Configuration Files:
/etc/default/icecast2 changed [not included]
/etc/icecast2/icecast.xml [Errno 13] Keine Berechtigung: u'/etc/icecast2/icecast.xml'

-- debconf information excluded

Message #12 received at 770222@bugs.debian.org (full text, mbox, reply):

From: Murray McAllister <mmcallis@redhat.com>

To: oss-security@lists.openwall.com

Cc: 770222@bugs.debian.org

Subject: CVE request: icecast: possible leak of on-connect scripts

Date: Thu, 20 Nov 2014 10:31:54 +1100

Good morning,

It was reported that Icecast could possibly leak the contents of 
on-connect scripts to clients, which may contain sensitive information. 
This issue has been fixed in the 2.4.1 release:

http://icecast.org/news/icecast-release-2_4_1/

"Fix on-connect and on-disconnect script STDIN/STDOUT/STDERR corruption 
due to shared file descriptors."

References:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770222

https://trac.xiph.org/ticket/2089

Cheers,

--
Murray McAllister / Red Hat Product Security

https://bugzilla.redhat.com/show_bug.cgi?id=1165880

Message #17 received at 770222@bugs.debian.org (full text, mbox, reply):

From: cve-assign@mitre.org

To: mmcallis@redhat.com

Cc: cve-assign@mitre.org, oss-security@lists.openwall.com, 770222@bugs.debian.org

Subject: Re: CVE request: icecast: possible leak of on-connect scripts

Date: Thu, 20 Nov 2014 09:52:44 -0500 (EST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> It was reported that Icecast could possibly leak the contents of
> on-connect scripts to clients, which may contain sensitive information.
> This issue has been fixed in the 2.4.1 release:

> "Fix on-connect and on-disconnect script STDIN/STDOUT/STDERR corruption
> due to shared file descriptors."

> Information contained can include passwords

> http://icecast.org/news/icecast-release-2_4_1/
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770222
> https://trac.xiph.org/ticket/2089
> https://trac.xiph.org/ticket/2087
> https://trac.xiph.org/changeset/19308

Use CVE-2014-9018.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUbf+QAAoJEKllVAevmvmsB/QH/iv2tkycZVO3mWFqsEkkNWSj
v9B9xhVZzCGKnL3WU/89w6jszoCZfoJXA/kUPwnOzIyl2OpJNvHAKyRcONTo8gu8
rBpYYl2id90Xf4DEJucKjJFeMzo6q1BIxQAtOPro5VMBYZ+EC7Ups9AO0iMxzwr+
g9lusgsVy6jOEb+aeng3SX2GCgnwAv+SZ78wipPuBnxyO6Ec8W++lHOdB+7SDY/J
6A38oMJstLVy4PUSiHfNjK71Ej7m1Hx++mk3cMPXEINJh4dV9LcJEeAoANAePMma
gRwboepBmq5FDDsV099VPfqMB4XQli3svZEjdkUCbPhjl1D4dj8s74i0uF9GGyI=
=EjxT
-----END PGP SIGNATURE-----

Message #24 received at 770222@bugs.debian.org (full text, mbox, reply):

From: Simon Richter <Simon.Richter@hogyros.de>

To: 770222@bugs.debian.org

Subject: NMU uploaded to DELAYED-3

Date: Sun, 23 Nov 2014 20:11:59 +0100

[Message part 1 (text/plain, inline)]

diff -Nru icecast2-2.4.0/debian/changelog icecast2-2.4.0/debian/changelog
--- icecast2-2.4.0/debian/changelog     2014-09-01 17:03:14.000000000 +0200
+++ icecast2-2.4.0/debian/changelog     2014-11-23 20:04:08.000000000 +0100
@@ -1,3 +1,11 @@
+icecast2 (2.4.0-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Include patchset 19313 (close file handles for external scripts).
+    (Closes: #770222)
+
+ -- Simon Richter <sjr@debian.org>  Sun, 23 Nov 2014 20:02:58 +0100
+
 icecast2 (2.4.0-1) unstable; urgency=medium

   * Imported Upstream version 2.4.0
diff -Nru
icecast2-2.4.0/debian/patches/0001-disconnects_stdio_of_on_dis_connect_scripts_from_random_filehandles
icecast2-2.4.0/debian/patches/0001-disconnects_stdio_of_on_dis_connect_scripts_from_random_filehandles
---
icecast2-2.4.0/debian/patches/0001-disconnects_stdio_of_on_dis_connect_scripts_from_random_filehandles
     1970-01-01 01:00:00.000000000 +0100
+++
icecast2-2.4.0/debian/patches/0001-disconnects_stdio_of_on_dis_connect_scripts_from_random_filehandles
     2014-11-23 20:07:33.000000000 +0100
@@ -0,0 +1,80 @@
+Index: icecast2-2.4.0/src/source.c
+===================================================================
+--- icecast2-2.4.0.orig/src/source.c
++++ icecast2-2.4.0/src/source.c
+@@ -34,6 +34,12 @@
+ #define snprintf _snprintf
+ #endif
+
++#ifndef _WIN32
++/* for __setup_empty_script_environment() */
++#include <sys/stat.h>
++#include <fcntl.h>
++#endif
++
+ #include "thread/thread.h"
+ #include "avl/avl.h"
+ #include "httpp/httpp.h"
+@@ -1311,6 +1317,34 @@ void source_client_callback (client_t *c
+
+
+ #ifndef _WIN32
++/* this sets up the new environment for script execution.
++ * We ignore most failtures as we can not handle them anyway.
++ */
++static inline void __setup_empty_script_environment(void) {
++    int i;
++
++    /* close at least the first 1024 handles */
++    for (i = 0; i < 1024; i++)
++        close(i);
++
++    /* open null device */
++    i = open("/dev/null", O_RDWR);
++    if (i != -1) {
++        /* attach null device to stdin, stdout and stderr */
++        if (i != 0)
++            dup2(i, 0);
++        if (i != 1)
++            dup2(i, 1);
++        if (i != 2)
++            dup2(i, 2);
++
++        /* close null device */
++        if (i > 2)
++            close(i);
++    }
++}
++#endif
++
+ static void source_run_script (char *command, char *mountpoint)
+ {
+     pid_t pid, external_pid;
+@@ -1326,10 +1360,15 @@ static void source_run_script (char *com
+                     ERROR2 ("Unable to fork %s (%s)", command,
strerror (errno));
+                     break;
+                 case 0:  /* child */
++                    if (access(command, R_OK|X_OK) != 0) {
++                        ERROR2 ("Unable to run command %s (%s)",
command, strerror(errno));
++                        exit(1);
++                    }
+                     DEBUG1 ("Starting command %s", command);
+-                    execl (command, command, mountpoint, (char *)NULL);
+-                    ERROR2 ("Unable to run command %s (%s)", command,
strerror (errno));
+-                    exit(0);
++                    __setup_empty_script_environment();
++                    /* consider to add action here as well */
++                    execl(command, command, mountpoint, (char *)NULL);
++                    exit(1);
+                 default: /* parent */
+                     break;
+             }
+@@ -1342,8 +1381,6 @@ static void source_run_script (char *com
+             break;
+     }
+ }
+-#endif
+-
+
+ static void *source_fallback_file (void *arg)
+ {
diff -Nru icecast2-2.4.0/debian/patches/series
icecast2-2.4.0/debian/patches/series
--- icecast2-2.4.0/debian/patches/series        1970-01-01
01:00:00.000000000 +0100
+++ icecast2-2.4.0/debian/patches/series        2014-11-23
19:52:21.000000000 +0100
@@ -0,0 +1 @@
+0001-disconnects_stdio_of_on_dis_connect_scripts_from_random_filehandles

[signature.asc (application/pgp-signature, attachment)]

Message #29 received at 770222-close@bugs.debian.org (full text, mbox, reply):

From: Simon Richter <sjr@debian.org>

To: 770222-close@bugs.debian.org

Subject: Bug#770222: fixed in icecast2 2.4.0-1.1

Date: Wed, 26 Nov 2014 19:34:25 +0000

Source: icecast2
Source-Version: 2.4.0-1.1

We believe that the bug you reported is fixed in the latest version of
icecast2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 770222@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon Richter <sjr@debian.org> (supplier of updated icecast2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 23 Nov 2014 20:02:58 +0100
Source: icecast2
Binary: icecast2
Architecture: source amd64
Version: 2.4.0-1.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Simon Richter <sjr@debian.org>
Description:
 icecast2   - streaming media server
Closes: 770222
Changes:
 icecast2 (2.4.0-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Include patchset 19313 (close file handles for external scripts).
     (Closes: #770222)
Checksums-Sha1:
 f07815e8f3a5e224586a07682b810175b6b4b8a0 1795 icecast2_2.4.0-1.1.dsc
 4afe6209220fcbde5299dd9988987ce016eeb9d7 29244 icecast2_2.4.0-1.1.debian.tar.xz
 32ca9d8e32f9acde56950d2c49550c322e219d0b 277488 icecast2_2.4.0-1.1_amd64.deb
Checksums-Sha256:
 149ac55f0b9f687f8c7745b7441b4c6f264407a41b6493e884ac1fbc2b97648b 1795 icecast2_2.4.0-1.1.dsc
 92d4df3614f535ab765954602c95318b680979051dda8b88b86c0f07d5fe6cf9 29244 icecast2_2.4.0-1.1.debian.tar.xz
 4db127a84a19aaf48ace2604e529613e6d7e03b537adb129dff395c42d8ac697 277488 icecast2_2.4.0-1.1_amd64.deb
Files:
 ac0e53e427e89add56022d383dece46a 1795 sound optional icecast2_2.4.0-1.1.dsc
 85bdb6502864cc6371854ee6ccf27da1 29244 sound optional icecast2_2.4.0-1.1.debian.tar.xz
 f0bb99682fa75d1fc9511f4e382cf2ef 277488 sound optional icecast2_2.4.0-1.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iJwEAQECAAYFAlRyMQ8ACgkQ0sfeulffv7v3PQP/X2MDVYx6lr7oooJvtMK+iB92
amqjkoEqv4srmN8twhZw5vvhGn6knL2KL5pJAXhuoruukKLlP4I4G3APV6klWwb1
mZF4l832t9/8BXDsKPWyyovFextsLFQxwvzRwQtZKz+H5ow+Zwvp22U6UZ5xgpb9
yahs+YXSlxeQvZ0AKzg=
=4Bkj
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.