Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
Not eligible to see or edit group visibility for this bug.
View Bug Activity | Format For Printing | XML | Clone This Bug
Shoutcast server 1.9.5 allows any remote attacker who can reach the server's port to read arbitrary files on the machine. Sample request can be obtained using the following command: echo -e "GET /content/%2E./.%2E/%2E%2E/etc/shadow%00.mp3\n" which, when piped through netcat to the listening Shoutcast server, should show the contents of /etc/shadow file. The complete advisory (written for a different target audience, though; so it contains some uninteresting details) can be found at http://people.ksp.sk/~goober/advisory/001-shoutcast.html The vendor (Nullsoft) has NOT been contacted yet, for I failed to find any security contact and didn't feel very much like posting this information to their public forums.
Jeremy you touched this one before Chris White. Could you please advise? @Peter is link public?
No, the link is not public and will not become public until the vulnerability is resolved.
Well, this is a binary package. We can't do anything until upstream releases a new version. The workarounds are valid, but we can't really force that on users as I'm sure many won't want to not run it in a chroot jail. As for executing as a unpriv user, that's a good idea in general, and I don't see why that wasn't the case already. We need to notify upstream. I'd look for personal contact info for the developers. Additionally, I believe NullSoft is still owned by AOL, so you might be able to contact AOL's security team for the contact information.
The upstream released a new version for Linux today. Preliminary tests show that the original vulnerability is no longer present, but the changes introduced a new, very similar one. Thus, the actual version (1.9.6) is NOT safe yet.
Peter, is upstream informed that it's still flawed?
Yes, the vendor has been notified a few minutes ago.
Okay, upstream released 1.9.7 today, vulnerabilities (original one + the new ones caused by the first fix) are apparently fixed.
eradicator, please bump. Shoutcast mentioned the security issues on their homepage and their board, so this is public. Peter, may we open this bug to the public, too?
As the fixed version is available, I see no problems with opening it.
I am on vacation in Hawaii and don't have access to my box to test the new software.
I am on vacation in Hawaii and don't have access to my box to test the new software. sound: Can someone please bump this and test it?
amd64 and x86 please test and mark stable, but beware: i haven't slept for 30h
Tested in x86 and works pretty fine, i'm listening right now my music. Should be marked as stable.
Stable on amd64/x86... thanks for testing...
This one is ready for GLSA decision.
mhh, weak yes, but i wouldn't mind a no
Kinda silly, but YES.
Voting yes, so let's have a GLSA more.
GLSA 200607-05
