A vulnerability has been discovered in Nullsoft shoutcast.It could be exploited to run a cross-site scripting attack. The vulnerability results of an error into the admin interface, which doesn't filter log files before display. This could be exploited by an attacker to execute malicious HTML/Javascript code, by injecting it into the logfile using a specially crafted URL Version 1.9.7 and previous are affected. No upstream patch is available for the moment.
http://www.securityfocus.com/bid/22742 says its for win32... not sure if that means the linux version is in the clear... possibly invalid
i can confirm that at least a variant of this works with the version we ship
Well, I guess that settles it. It is an issue.
still [upstream] afaict
http://www.shoutcast.com/#news We're pleased to announce the release of SHOUTcast DSP 1.9.8. This release is a security fix release which fixes the Source Port password/script exploits. sound, please bump
ping sound
*** Bug 173580 has been marked as a duplicate of this bug. ***
Bug 173580 has a one line patch; the SRC_URI line should be: SRC_URI="sc_serv_${PV}_Linux.tar.gz" and the filename changed to the new version, if anyone is unsure. (Local overlay.)
sound team please advise
Sound any news on this one?
bumped, sorry for the unacceptable delay
Thanks Alexis. Arches, please test and marke stable. Target keywords are "amd64 x86"
amd64 stable
media-sound/shoutcast-server-bin-1.9.8 1. emerges on x86 2. passes collision test 3. seems to work Portage 2.1.2.2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.5-r0, 2.6.20.6 i686) ================================================================= System uname: 2.6.20.6 i686 Genuine Intel(R) CPU T2300 @ 1.66GHz Gentoo Base System release 1.12.9 Timestamp of tree: Wed, 18 Apr 2007 18:00:01 +0000 dev-java/java-config: 1.3.7, 2.0.31-r5 dev-lang/python: 2.3.5-r3, 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.15-r1 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/php/apache1-php5/ext-active/ /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--nospinner" FEATURES="collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/" LINGUAS="en de en_GB de_CH" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X a52 aac acpi alsa apache2 asf berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dri dts dvd dvdr dvdread eds emboss encode fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal iconv ipv6 isdnlog java jpeg kde kdeenablefinal ldap libg++ mad midi mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection rtsp ruby samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd test tetex theora threads truetype truetype-fonts type1-fonts unicode vcd vorbis wifi win32codecs wxwindows x264 x86 xine xml xorg xprint xv xvid zlib" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LINGUAS="en de en_GB de_CH" USERLAND="GNU" VIDEO_CARDS="i810 fbdev vesa" Unset: CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
x86 stable, we are last arch
This one is ready for GLSA decision. I tend to vote NO.
I tend to vote YES.
"Attacker-supplied HTML and script code would run in the context of the affected website, potentially allowing an attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible." AIUI glsa's are for when the fixed package isn't stable yet- or am I (yet again ;) missing something?
i vote noglsa. @steve: the GLSAs are issued after all the fixed packages are stabilized, so that the users can update their system as soon as they receive the GLSA.
voting no too -> closing please reopen if you disagree
