Bug 23798 - icecast new security issue CVE-2018-18820
Summary: icecast new security issue CVE-2018-18820
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-11-02 13:57 CET by David Walser
Modified: 2018-11-11 20:03 CET (History)
3 users (show)

See Also:
Source RPM: icecast-2.4.3-5.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-11-02 13:57:37 CET
Upstream has issued an advisory on November 1:
https://www.openwall.com/lists/oss-security/2018/11/01/3

The issue is fixed upstream in 2.4.4.

Mageia 6 is also affected.
David Walser 2018-11-02 13:57:44 CET

Whiteboard: (none) => MGA6TOO

Comment 1 David GEIGER 2018-11-02 18:42:49 CET
Done for Cauldron and mga6!

CC: (none) => geiger.david68210

Comment 2 David Walser 2018-11-02 21:58:01 CET
Advisory:
========================

Updated icecast packages fix security vulnerability:

Buffer overflows in URL auth code if there is a "mount" definition that enables
URL authentication. A malicious client could send long HTTP headers, leading to
a buffer overflow and potential remote code execution (CVE-2018-18820).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18820
https://www.openwall.com/lists/oss-security/2018/11/01/3
========================

Updated packages in core/updates_testing:
========================
icecast-2.4.4-1.mga6

from icecast-2.4.4-1.mga6.src.rpm

Version: Cauldron => 6
Assignee: bugsquad => qa-bugs
Whiteboard: MGA6TOO => (none)

Comment 3 Herman Viaene 2018-11-06 16:20:49 CET
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
Tried to follow bug 14629 Comment 2 , but I don't get it:
in step 3 on the vlc setup it says:
"set server: localhost, port:8000, mountpoint: test
     login: source, password:2
but the vlc dialogue only asks for Address, mount point and password
and I get:
$ mplayer http://localhost:8000/test
MPlayer 1.3.0-12.mga6.tainted-5.4.0 (C) 2000-2016 MPlayer Team
mplayer: could not connect to socket
mplayer: No such file or directory
Failed to open LIRC support. You will not be able to use your remote control.

Playing http://localhost:8000/test.
Resolving localhost for AF_INET...
Connecting to server localhost[127.0.0.1]: 8000...

Server returned 404: File Not Found
STREAM_ASF, URL: http://localhost:8000/test
Resolving localhost for AF_INET...
Connecting to server localhost[127.0.0.1]: 8000...

Server returned 404:File Not Found
Failed to parse header.
Failed, exiting.
Resolving localhost for AF_INET...
Connecting to server localhost[127.0.0.1]: 8000...

Server returned 404: File Not Found
No stream found to handle url http://localhost:8000/test

CC: (none) => herman.viaene

Comment 4 Herman Viaene 2018-11-06 16:28:15 CET
Errors when starting stream in vlc:
[b1f10fb8] access_output_shout access out error: failed to initialize shout streaming to localhost:8000//test
[b1f15080] stream_out_standard stream out error: no suitable sout access module for `shout/mp3:////tester@localhost:8000/test'
[b1f15380] main stream output error: stream chain failed for `std{access=shout,mux=mp3,dst=//tester@localhost:8000/test}'
[09741ea0] main input error: cannot start stream output instance, aborting

Note: the mux parameter is set to ogg by vlc, I changed it before submitting to mp3 , but my first tries were with the ogg setting, and thay gave the same result.
Comment 5 David Walser 2018-11-08 17:49:48 CET
Debian has issued an advisory for this on November 4:
https://www.debian.org/security/2018/dsa-4333
Comment 6 Len Lawrence 2018-11-11 20:03:14 CET
Re comment #3: The wizard did present the port number as well
Re comment #4.
Tried this fo x86_64 before updating and saw very similar output from vlc and mplayer.
$ mplayer http://localhost:8000/ice
MPlayer 1.3.0-12.mga6.tainted-5.4.0 (C) 2000-2016 MPlayer Team
mplayer: could not connect to socket
mplayer: No such file or directory
Failed to open LIRC support. You will not be able to use your remote control.

Playing http://localhost:8000/ice.
Resolving localhost for AF_INET6...
Connecting to server localhost[::1]: 8000...

connect error: Connection refused
Resolving localhost for AF_INET...
Connecting to server localhost[127.0.0.1]: 8000...

Server returned 404: File Not Found
STREAM_ASF, URL: http://localhost:8000/ice
Resolving localhost for AF_INET6...
Connecting to server localhost[::1]: 8000...

connect error: Connection refused
Resolving localhost for AF_INET...
Connecting to server localhost[127.0.0.1]: 8000...

Server returned 404:File Not Found
Failed to parse header.
Failed, exiting.
Resolving localhost for AF_INET6...
Connecting to server localhost[::1]: 8000...

connect error: Connection refused
Resolving localhost for AF_INET...
Connecting to server localhost[127.0.0.1]: 8000...

Server returned 404: File Not Found
No stream found to handle url http://localhost:8000/ice

Exiting... (End of file)

CC: (none) => tarazed25


Note You need to log in before you can comment on or make changes to this bug.