Bugzilla – Bug 926402
VUL-0: CVE-2015-3026: icecast: remote denial of service vulnerability fixed in 2.4.2
Last modified: 2015-04-16 21:05:12 UTC
via oss-sec: Subject: [oss-security] CVE Request for Icecast 2.3.3, 2.4.0, 2.4.1, fixed in 2.4.2 Date: Wed, 08 Apr 2015 13:03:24 +0000 From: Thomas B. Rücker <thomas@ruecker.fi> Reply-To: oss-security@lists.openwall.com To: oss-security@lists.openwall.com A new version of Icecast was released, following the discovery of a remote denial of service vulnerability by Juliane Holzt earlier today. Affected Icecast versions: 2.3.3(first release with stream_auth) 2.4.0 2.4.1 Fix released in: 2.4.2 We do not release fixes for: 2.3.3: EOL 2.4.0: not necessary, as 2.4.1 was a bugfix release for 2.4.0. On 04/08/2015 12:52 PM, "Thomas B. Rücker" wrote: > > Today we became aware of a bug in the Icecast code handling source > client URL-authentication and are releasing a security fix. > The bug was discovered by Juliane Holzt, who we'd like to thank for > bringing this to our attention and providing us with further details. > [...] > The bug can only be triggered if "stream_auth" is being used, for example: > <mount> > <mount-name>/test.ogg</mount-name> > <authentication type="url"> > <option name="stream_auth" value="http://localhost/auth"/> > </authentication> > </mount> > > This means, that all installations that use a default configuration are > NOT affected.The default configuration only uses <source-password>. > Neither are simple mountpoints affected that use <password>. > > A workaround, if installing an updated package is not possible, is to > disable "stream_auth"and use <password> instead. > > As far as we understand the bug only leads to a simple remote denial of > service. The underlying issue is a null pointer dereference. For > clarity: No remote code execution should be possible, server just segfaults. > > Proof of concept: > curl "http://example.org:8000/admin/killsource?mount=/test.ogg" > If the server is configured as above, then it will segfault.A source > client does not need to be connected to that mount point. > As Juliane points out: "This only happens when making a request WITHOUT > login credentials." > This means, that sadly exploiting this does not require any > authentication, just the knowledge of a mount point configured with > stream_auth. > > Original Debian bug report: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782120 > > Xiph.org ticket: > https://trac.xiph.org/ticket/2191 > > Sources: > http://downloads.xiph.org/releases/icecast/icecast-2.4.2.tar.gz > SHA256 aa1ae2fa364454ccec61a9247949d19959cb0ce1b044a79151bf8657fd673f4f > git-tag: release-2.4.2 > > As usual there are up to date packages available for most mainstream > distributions. We've moved from my personal project to an official > Xiph.org project on openSUSE OBS: > https://build.opensuse.org/package/show/multimedia:xiph/icecast > Individual repositories are here: > > A copy of the openSUSE OBS multimedia signing key is here: > http://icecast.org/multimedia-obs.key > > The Windows version will be updated later today. > [...] > We are requesting a CVE ID through oss-security and I will update the > ticket once we have received it. openSUSE:Factory is at 2.4.1, affected 13.2: 2.4.0 affected 13.1: 2.3.3 affected and EOL, no update on tha track
I have already updates ready for submission, just waitining for CVE# assignment. They are found in OBS home:tiwai:branches:OBS_Maintained:icecast repo. The package in OBS multimedia:apps was already updated to 2.4.2 and submitted to FACTORY. BTW: > openSUSE:Factory is at 2.4.1, affected > 13.2: 2.4.0 affected > 13.1: 2.3.3 affected and EOL, no update on tha track Is oS-13.1 really EOL...?
(In reply to Takashi Iwai from comment #2) > > 13.1: 2.3.3 affected and EOL, no update on tha track > > Is oS-13.1 really EOL...? No, icecast 2.3.x is.
(In reply to Andreas Stieger from comment #3) > (In reply to Takashi Iwai from comment #2) > > > 13.1: 2.3.3 affected and EOL, no update on tha track > > > > Is oS-13.1 really EOL...? > > No, icecast 2.3.x is. Relieved :)
bugbot adjusting priority
The fixed packages have been submitted to 13.1 and 13.2 via SRID 295142 and 295143. Reassigned back to security-team.
This is an autogenerated message for OBS integration: This bug (926402) was mentioned in https://build.opensuse.org/request/show/295142 13.1 / icecast https://build.opensuse.org/request/show/295143 13.2 / icecast
(In reply to Takashi Iwai from comment #4) > (In reply to Andreas Stieger from comment #3) > > (In reply to Takashi Iwai from comment #2) > > > > 13.1: 2.3.3 affected and EOL, no update on tha track > > > > > > Is oS-13.1 really EOL...? > > > > No, icecast 2.3.x is. > > Relieved :) Feel free to cherry-pick the two commits that make up 2.4.2. It _should_ work with 2.3.3, but we didn't bother testing as we don't maintain 2.3.x anymore. It _may_ need one or two changes that we did for 2.4.0. If you decide not to, I'm just leaving this as an FYI for affected users that want 2.4.2: https://build.opensuse.org/package/show/multimedia:xiph/icecast (While perfectly working, my 2.4.x packaging is still quite ugly in terms of OBS rpm spec due to multi distro support, 2.5 will look cleaner)
releasing for 13.1/13.2
openSUSE-SU-2015:0728-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 926402 CVE References: CVE-2015-3026 Sources used: openSUSE 13.2 (src): icecast-2.4.0-2.11.1 openSUSE 13.1 (src): icecast-2.3.3-2.15.1