Bug 23798 - icecast new security issue CVE-2018-18820
Summary: icecast new security issue CVE-2018-18820
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-11-02 13:57 CET by David Walser
Modified: 2018-11-28 21:51 CET (History)
6 users (show)

See Also:
Source RPM: icecast-2.4.3-5.mga7.src.rpm
CVE:
Status comment:


Attachments
screen print and notes - openoffice format (100.12 KB, application/vnd.oasis.opendocument.text)
2018-11-28 05:13 CET, Brian Rockwell
Details

Description David Walser 2018-11-02 13:57:37 CET
Upstream has issued an advisory on November 1:
https://www.openwall.com/lists/oss-security/2018/11/01/3

The issue is fixed upstream in 2.4.4.

Mageia 6 is also affected.
David Walser 2018-11-02 13:57:44 CET

Whiteboard: (none) => MGA6TOO

Comment 1 David GEIGER 2018-11-02 18:42:49 CET
Done for Cauldron and mga6!

CC: (none) => geiger.david68210

Comment 2 David Walser 2018-11-02 21:58:01 CET
Advisory:
========================

Updated icecast packages fix security vulnerability:

Buffer overflows in URL auth code if there is a "mount" definition that enables
URL authentication. A malicious client could send long HTTP headers, leading to
a buffer overflow and potential remote code execution (CVE-2018-18820).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18820
https://www.openwall.com/lists/oss-security/2018/11/01/3
========================

Updated packages in core/updates_testing:
========================
icecast-2.4.4-1.mga6

from icecast-2.4.4-1.mga6.src.rpm

Version: Cauldron => 6
Assignee: bugsquad => qa-bugs
Whiteboard: MGA6TOO => (none)

Comment 3 Herman Viaene 2018-11-06 16:20:49 CET
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
Tried to follow bug 14629 Comment 2 , but I don't get it:
in step 3 on the vlc setup it says:
"set server: localhost, port:8000, mountpoint: test
     login: source, password:2
but the vlc dialogue only asks for Address, mount point and password
and I get:
$ mplayer http://localhost:8000/test
MPlayer 1.3.0-12.mga6.tainted-5.4.0 (C) 2000-2016 MPlayer Team
mplayer: could not connect to socket
mplayer: No such file or directory
Failed to open LIRC support. You will not be able to use your remote control.

Playing http://localhost:8000/test.
Resolving localhost for AF_INET...
Connecting to server localhost[127.0.0.1]: 8000...

Server returned 404: File Not Found
STREAM_ASF, URL: http://localhost:8000/test
Resolving localhost for AF_INET...
Connecting to server localhost[127.0.0.1]: 8000...

Server returned 404:File Not Found
Failed to parse header.
Failed, exiting.
Resolving localhost for AF_INET...
Connecting to server localhost[127.0.0.1]: 8000...

Server returned 404: File Not Found
No stream found to handle url http://localhost:8000/test

CC: (none) => herman.viaene

Comment 4 Herman Viaene 2018-11-06 16:28:15 CET
Errors when starting stream in vlc:
[b1f10fb8] access_output_shout access out error: failed to initialize shout streaming to localhost:8000//test
[b1f15080] stream_out_standard stream out error: no suitable sout access module for `shout/mp3:////tester@localhost:8000/test'
[b1f15380] main stream output error: stream chain failed for `std{access=shout,mux=mp3,dst=//tester@localhost:8000/test}'
[09741ea0] main input error: cannot start stream output instance, aborting

Note: the mux parameter is set to ogg by vlc, I changed it before submitting to mp3 , but my first tries were with the ogg setting, and thay gave the same result.
Comment 5 David Walser 2018-11-08 17:49:48 CET
Debian has issued an advisory for this on November 4:
https://www.debian.org/security/2018/dsa-4333
Comment 6 Len Lawrence 2018-11-11 20:03:14 CET
Re comment #3: The wizard did present the port number as well
Re comment #4.
Tried this fo x86_64 before updating and saw very similar output from vlc and mplayer.
$ mplayer http://localhost:8000/ice
MPlayer 1.3.0-12.mga6.tainted-5.4.0 (C) 2000-2016 MPlayer Team
mplayer: could not connect to socket
mplayer: No such file or directory
Failed to open LIRC support. You will not be able to use your remote control.

Playing http://localhost:8000/ice.
Resolving localhost for AF_INET6...
Connecting to server localhost[::1]: 8000...

connect error: Connection refused
Resolving localhost for AF_INET...
Connecting to server localhost[127.0.0.1]: 8000...

Server returned 404: File Not Found
STREAM_ASF, URL: http://localhost:8000/ice
Resolving localhost for AF_INET6...
Connecting to server localhost[::1]: 8000...

connect error: Connection refused
Resolving localhost for AF_INET...
Connecting to server localhost[127.0.0.1]: 8000...

Server returned 404:File Not Found
Failed to parse header.
Failed, exiting.
Resolving localhost for AF_INET6...
Connecting to server localhost[::1]: 8000...

connect error: Connection refused
Resolving localhost for AF_INET...
Connecting to server localhost[127.0.0.1]: 8000...

Server returned 404: File Not Found
No stream found to handle url http://localhost:8000/ice

Exiting... (End of file)

CC: (none) => tarazed25

Comment 7 Brian Rockwell 2018-11-28 05:12:50 CET
The following 2 packages are going to be installed:

- icecast-2.4.4-1.mga6.x86_64
- perl-MP3-Info-1.240.0-7.mga6.noarch

437KB of additional disk space will be used.


$ uname -a
Linux localhost 4.14.78-desktop-1.mga6 #1 SMP Sun Oct 21 20:31:12 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux


I had to go in:

1.  Add my id to the icecast group
2.  from root user #chmod g+w /var/log/icecast

to run it:

$ icecast -c /etc/icecast.xml

CC: (none) => brtians1

Comment 8 Brian Rockwell 2018-11-28 05:13:26 CET
Created attachment 10515 [details]
screen print and notes - openoffice format
Brian Rockwell 2018-11-28 05:13:46 CET

Whiteboard: (none) => MGA6-64-OK

Lewis Smith 2018-11-28 19:51:17 CET

Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 9 Mageia Robot 2018-11-28 21:51:17 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0472.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.