Debian Bug report logs -
#301368
icecast2: Several vulnerabilities in Icecast2
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Fri, 25 Mar 2005 12:33:01 UTC
Severity: normal
Tags: security
Done: Ben Hutchings <ben@decadent.org.uk>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Jonas Smedegaard <dr@jones.dk>:
Bug#301368; Package icecast2.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to Jonas Smedegaard <dr@jones.dk>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: icecast2
Severity: grave
Tags: security
Justification: user security hole
Several security issues have been reported for Icecast2. Please refer to
the CAN Ids in the changelog when fixing them:
CAN-2005-0838:
Multiple buffer overflows in the XSL parser may cause DoS and possibly
remote code execution through overly long values in the xsl:when and
xsl:if tags and overly long select values in the xsl:value-of tag.
CAN-2005-0839:
A remote attacker can bypass security measures and can obtain access to
XSL files through a request for an xsl-file with a trailing dot.
See these URLs for reference:
http://xforce.iss.net/xforce/xfdb/19760/
http://xforce.iss.net/xforce/xfdb/19753/
I could not find fixes on the Icecast website, please contact upstream for
a solution.
Cheers,
Moritz
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.11
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Information forwarded to debian-bugs-dist@lists.debian.org, Jonas Smedegaard <dr@jones.dk>:
Bug#301368; Package icecast2.
(full text, mbox, link).
Acknowledgement sent to Paul Wise <pabs@zip.to>:
Extra info received and forwarded to list. Copy sent to Jonas Smedegaard <dr@jones.dk>.
(full text, mbox, link).
Message #10 received at 301368@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: icecast2
Followup-For: Bug #301368
I butted into #icecast on freenode and got this:
Mar 31 18:34:37 <pabs3> does anyone know if there is a fix for this security issue available? http://securitytracker.com/alerts/2005/Mar/1013475.html
Mar 31 18:35:53 <dm8tbr> it was discussed here some time ago
Mar 31 18:41:38 <pabs3> ...and is there a fix available?
Mar 31 18:42:59 <trippeh> its not much of a issue, you can gain rights to, err, yourself. and the xsl-problems seems to be in libxslt, not icecast (not that its much of a critical issue that either)
Mar 31 18:46:08 <trippeh> its not common to have write access to icecasts xsl/webroot files, and if you do, you have in 99.9999% of the cases access to the icecast user anyway.
Mar 31 18:51:10 <pabs3> hm, would anyone care to add something to this bug report and perhaps recommend downgrading it to something not release-critical? http://bugs.debian.org/301368
Mar 31 18:51:46 <pabs3> or perhaps recommend reassigning to libxslt?
Hope that helps a little.
--
bye,
pabs
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#301368; Package icecast2.
(full text, mbox, link).
Acknowledgement sent to Jonas Smedegaard <dr@jones.dk>:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #15 received at 301368@bugs.debian.org (full text, mbox, reply):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
severity 301368 normal
thanks
This seems to not be fatal, so downgrading.
Thanks for reporting and investigating!
- Jonas
- --
* Jonas Smedegaard - idealist og Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
- Enden er nær: http://www.shibumi.org/eoti.htm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCWeKtn7DbMsAkQLgRAnmRAKCNkbahg/hrW8l09pAeiOP/XYszjgCgmgCd
3As+wT42d2Vsv0VsqL8JcXs=
=Ze+0
-----END PGP SIGNATURE-----
Severity set to `normal'.
Request was from Jonas Smedegaard <dr@jones.dk>
to control@bugs.debian.org.
(full text, mbox, link).
Reply sent to Ben Hutchings <ben@decadent.org.uk>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #22 received at 301368-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
The original report on Bugtraq
<http://www.securityfocus.com/archive/1/393705> said:
> These are tested on IceCast v2.20. This software can be freely
> obtained from http://www.icecast.org.
>
> "Icecast is a streaming media server which currently supports Ogg
> Vorbis and MP3 audio streams. It can be used to create an Internet
> radio station or a privately running jukebox and many things in
> between. It is very versatile in that new formats can be added
> relatively easily and supports open standards for commuincation and
> interaction."
>
> 1) The XSL parser has some unchecked buffers (local), but they dont
> seem to be exploitable. If they are, they can be used for priviledge
> escalation, under the user that the server runs.
>
> <xsl:when test="<lots of chars>"></xsl:when>
> <xsl:if test="<lots of chars>"></xsl:if>
> <xsl:value-of select="<lots of chars>" />
This is CVE-2005-0838. The bug may still exist, but as previously
stated the XSLT files are trusted data (supplied by the server operator,
not by users) so this is not a security bug.
> 2) Cause XSL parser error "Could not parse XSLT file". (Not very
> useful).
>
> GET /status.xsl> HTTP/1.0
> GET /status.xsl< HTTP/1.0
> GET /<status.xsl HTTP/1.0
Icecast treats any URL matching .*\.xsl[^.]* as a request for a page
generated by XSLT. It shows this error message with a 404 status code
for both missing/inaccessible files (based on stat()) and parse
failures. The current version of Icecast (2.3.1-6.1) gives up after the
stat() fails with ENOENT.
Icecast 2.2.0 behaved slightly differently and should produce the usual
404 message for a missing XSLT file. However it's possible that it
behaved like this on Windows if stat() succeeded but open() failed.
In short, this is not a security bug now, if it ever was.
> 3) XSL parser bypass. (Useful to steal customized XSL files, lol).
>
> GET /auth.xsl. HTTP/1.0
> GET /status.xsl. HTTP/1.0
This is CVE-2005-0837 (not -0839 as originally reported). It is not
reproducible in the current version (2.3.1-6.1). It looks like this was
(and still is) exploitable only on Windows. This is because Win32
ignores trailing dots in file paths and Icecast does not.
Ben.
--
Ben Hutchings
If at first you don't succeed, you're doing about average.
[signature.asc (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 11 May 2008 07:51:44 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:13:53 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon