It was found that icecast 2.4.0 and earlier could share file descriptor between the daemon and processes forked for the on-connect and on-disconnect options in the config file, potentially providing information from the scripts to external clients. http://openwall.com/lists/oss-security/2014/11/20/22 Fixed in cauldron. Reproducible: Steps to Reproduce:
Updated packages are ready for testing: MGA4 SRPM: icecast-2.3.2-8.1.mga4.src.rpm RPMS: icecast-2.3.2-8.1.mga4.i586.rpm icecast-2.3.2-8.1.mga4.x86_64.rpm MGA3 SRPM icecast-2.3.2-7.1.mga3.src.rpm RPMS: icecast-2.3.2-7.1.mga3.i586.rpm icecast-2.3.2-7.1.mga3.x86_64.rpm Advisory: Icecast did not properly handle the launching of "scripts" on connect or disconnect of sources. This could result in sensitive information from these scripts leaking to (external) clients. (CVE-2014-9018) References: https://trac.xiph.org/ticket/2089 https://trac.xiph.org/ticket/2087 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770222 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9018
Assignee: bugsquad => qa-bugs
Whiteboard: (none) => MGA3TOO
Possible procedure: 1. install icecast 2. configure a source password in /etc/icecast.xml 3. (re)start icecast.service using systemctl 4. install vlc-plugin-shout 5. launch vlc 6. follow the instructions at https://wiki.videolan.org/Documentation:Streaming_HowTo_New/#Streaming_using_the_GUI - select one file, mp3 format - remember to click "Add" after selecting icecast as source - set server: localhost, port:8000, mountpoint: test login: source, password: [see 2.] - uncheck "display locally" - on the next page, disable "Activate Transcoding" 7. point an audioplayer to the stream, e.g. mplayer: mplayer http://localhost:8000/test If the mp3 selected in point 6 can be heard the test was successful. Alternative procedure: use ices (or idjc but it also emits the sound itself, making it harder to check if the stream works). I tested the reworked script feature in cauldron.
Whiteboard: MGA3TOO => MGA3TOO has_procedure
Testing on Mageia4-64 real hardware, using procedure in comment 2. With current package : ------------------- $ rpm -q icecast icecast-2.3.2-8.mga4 # nano /etc/icecast.xml Source password was already set ('hackme'), I didn't change it as it was only for testing purpose. # systemctl restart icecast Launched vlc installed with vlc-plugin-shout in Vlc Menu Media/Stream, selected a local mp3.file and Broadcast Next Destination : HTTP + Add (choose Port 8000, Path /test) Enable transcoding (changed nothing) + Next On next window : Stream From a virtual machine, through lan, in terminal : $ mplayer http://192.168.0.11:8000/test MP3 file played as expected. Updated to testing package : -------------------------- icecast-2.3.2-8.1.mga4.x86_64 # systemctl stop icecast # systemctl start icecast Could play the stream through lan using VLC and Mplayer OK
CC: (none) => olchalWhiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-64-OK
FYI, CVE request for another security issue fixed upstream: http://openwall.com/lists/oss-security/2014/11/25/13
(In reply to David Walser from comment #4) > FYI, CVE request for another security issue fixed upstream: > http://openwall.com/lists/oss-security/2014/11/25/13 AFAICT we do not use the changeowner feature of icecast. Instead, the init script in mageia 3 and 4 uses daemon --user=icecast to set the uid of the icecast process, while I changed this to User=icecast and Group=icecast in the systemd unit definition for cauldron.
(In reply to Christiaan Welvaart from comment #5) > (In reply to David Walser from comment #4) > > FYI, CVE request for another security issue fixed upstream: > > http://openwall.com/lists/oss-security/2014/11/25/13 > > AFAICT we do not use the changeowner feature of icecast. Instead, the init > script in mageia 3 and 4 uses daemon --user=icecast to set the uid of the > icecast process, while I changed this to User=icecast and Group=icecast in > the systemd unit definition for cauldron. Fantastic. Thanks for looking into it!
Finished testing validating. Sysadmins push to testing.
Keywords: (none) => validated_updateCC: (none) => ozkyster, sysadmin-bugsWhiteboard: MGA3TOO has_procedure MGA4-64-OK => MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-64-MGA3-32-OK
Advisory uploaded.
Whiteboard: MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-64-MGA3-32-OK => MGA3TOO has_procedure MGA4-64-OK MGA4-32-OK MGA3-64-MGA3-32-OK advisory
(In reply to David Walser from comment #6) > (In reply to Christiaan Welvaart from comment #5) > > (In reply to David Walser from comment #4) > > > FYI, CVE request for another security issue fixed upstream: > > > http://openwall.com/lists/oss-security/2014/11/25/13 > > > > AFAICT we do not use the changeowner feature of icecast. Instead, the init > > script in mageia 3 and 4 uses daemon --user=icecast to set the uid of the > > icecast process, while I changed this to User=icecast and Group=icecast in > > the systemd unit definition for cauldron. > > Fantastic. Thanks for looking into it! Just for the sake of posterity, CVE-2014-9091 was assigned for that: http://openwall.com/lists/oss-security/2014/11/26/4
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0494.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/623291/CC: (none) => luigiwalser
LWN reference for CVE-2014-9091: http://lwn.net/Vulnerabilities/625053/