| Summary: | icecast new security issue CVE-2018-18820 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | brtians1, geiger.david68210, herman.viaene, lewyssmith, sysadmin-bugs, tarazed25 |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-64-OK | ||
| Source RPM: | icecast-2.4.3-5.mga7.src.rpm | CVE: | |
| Status comment: | |||
| Attachments: | screen print and notes - openoffice format | ||
|
Description
David Walser
2018-11-02 13:57:37 CET
David Walser
2018-11-02 13:57:44 CET
Whiteboard:
(none) =>
MGA6TOO Done for Cauldron and mga6! CC:
(none) =>
geiger.david68210 Advisory: ======================== Updated icecast packages fix security vulnerability: Buffer overflows in URL auth code if there is a "mount" definition that enables URL authentication. A malicious client could send long HTTP headers, leading to a buffer overflow and potential remote code execution (CVE-2018-18820). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18820 https://www.openwall.com/lists/oss-security/2018/11/01/3 ======================== Updated packages in core/updates_testing: ======================== icecast-2.4.4-1.mga6 from icecast-2.4.4-1.mga6.src.rpm Version:
Cauldron =>
6 MGA6-32 MATE on IBM Thinkpad R50e No installation issues. Tried to follow bug 14629 Comment 2 , but I don't get it: in step 3 on the vlc setup it says: "set server: localhost, port:8000, mountpoint: test login: source, password:2 but the vlc dialogue only asks for Address, mount point and password and I get: $ mplayer http://localhost:8000/test MPlayer 1.3.0-12.mga6.tainted-5.4.0 (C) 2000-2016 MPlayer Team mplayer: could not connect to socket mplayer: No such file or directory Failed to open LIRC support. You will not be able to use your remote control. Playing http://localhost:8000/test. Resolving localhost for AF_INET... Connecting to server localhost[127.0.0.1]: 8000... Server returned 404: File Not Found STREAM_ASF, URL: http://localhost:8000/test Resolving localhost for AF_INET... Connecting to server localhost[127.0.0.1]: 8000... Server returned 404:File Not Found Failed to parse header. Failed, exiting. Resolving localhost for AF_INET... Connecting to server localhost[127.0.0.1]: 8000... Server returned 404: File Not Found No stream found to handle url http://localhost:8000/test CC:
(none) =>
herman.viaene Errors when starting stream in vlc:
[b1f10fb8] access_output_shout access out error: failed to initialize shout streaming to localhost:8000//test
[b1f15080] stream_out_standard stream out error: no suitable sout access module for `shout/mp3:////tester@localhost:8000/test'
[b1f15380] main stream output error: stream chain failed for `std{access=shout,mux=mp3,dst=//tester@localhost:8000/test}'
[09741ea0] main input error: cannot start stream output instance, aborting
Note: the mux parameter is set to ogg by vlc, I changed it before submitting to mp3 , but my first tries were with the ogg setting, and thay gave the same result.
Debian has issued an advisory for this on November 4: https://www.debian.org/security/2018/dsa-4333 Re comment #3: The wizard did present the port number as well Re comment #4. Tried this fo x86_64 before updating and saw very similar output from vlc and mplayer. $ mplayer http://localhost:8000/ice MPlayer 1.3.0-12.mga6.tainted-5.4.0 (C) 2000-2016 MPlayer Team mplayer: could not connect to socket mplayer: No such file or directory Failed to open LIRC support. You will not be able to use your remote control. Playing http://localhost:8000/ice. Resolving localhost for AF_INET6... Connecting to server localhost[::1]: 8000... connect error: Connection refused Resolving localhost for AF_INET... Connecting to server localhost[127.0.0.1]: 8000... Server returned 404: File Not Found STREAM_ASF, URL: http://localhost:8000/ice Resolving localhost for AF_INET6... Connecting to server localhost[::1]: 8000... connect error: Connection refused Resolving localhost for AF_INET... Connecting to server localhost[127.0.0.1]: 8000... Server returned 404:File Not Found Failed to parse header. Failed, exiting. Resolving localhost for AF_INET6... Connecting to server localhost[::1]: 8000... connect error: Connection refused Resolving localhost for AF_INET... Connecting to server localhost[127.0.0.1]: 8000... Server returned 404: File Not Found No stream found to handle url http://localhost:8000/ice Exiting... (End of file) CC:
(none) =>
tarazed25 The following 2 packages are going to be installed: - icecast-2.4.4-1.mga6.x86_64 - perl-MP3-Info-1.240.0-7.mga6.noarch 437KB of additional disk space will be used. $ uname -a Linux localhost 4.14.78-desktop-1.mga6 #1 SMP Sun Oct 21 20:31:12 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux I had to go in: 1. Add my id to the icecast group 2. from root user #chmod g+w /var/log/icecast to run it: $ icecast -c /etc/icecast.xml CC:
(none) =>
brtians1 Created attachment 10515 [details]
screen print and notes - openoffice format
Brian Rockwell
2018-11-28 05:13:46 CET
Whiteboard:
(none) =>
MGA6-64-OK
Lewis Smith
2018-11-28 19:51:17 CET
Keywords:
(none) =>
advisory, validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0472.html Status:
NEW =>
RESOLVED |