see DSA-541-1: [...] Security database references: In Mitre's CVE dictionary: CAN-2004-0781. More information: Markus W
see DSA-541-1: [...] Security database references: In Mitre's CVE dictionary: CAN-2004-0781. More information: Markus Wörle discovered a cross site scripting problem in status-display (list.cgi) of the icecast internal webserver, an MPEG layer III streaming server. The UserAgent variable is not properly html_escaped so that an attacker could cause the client to execute arbitrary Java script commands. For the stable distribution (woody) this problem has been fixed in version 1.3.11-4.2. For the unstable distribution (sid) this problem has been fixed in version 1.3.12-8. We recommend that you upgrade your icecast-server package. [...] and the Debian changelog for icecast-server at http://packages.debian.org/changelogs/pool/main/i/icecast-server/icecast-server_1.3.12-8/changelog
sound please verify wether this applies to the stable version 2.01 in portage and remove any unneeded and vulnerable versions.
Created attachment 38116 [details, diff] Debian patch to http.c/http.h The full Debian diffs can be found at http://http.us.debian.org/debian/pool/main/i/icecast-server/icecast-server_1.3.12-8.diff.gz the attachment contains the extracted diffs to http.c and http.h
I'll look into this when I get off of work unless another member can get to it first.
icecast-1.* was removed from the tree. This does not effect the stability of any of the arches as they use version 2.0.0+. GLSA needs drafting.
ChrisWhite can you confirm that version 2 is vulnerable also? No sources seem to have a definite answer.
icecast 1.* is already deprecated by GLSA 200405-10, so there is no need for a GLSA if this only affects 1.* versions. If this affects 2.* versions too, then new ebuilds should be produced. http://www.securitytracker.com/alerts/2004/Aug/1011046.html says it's unsure if icecast 2 is vulnerable or not. In all cases this shouldn't be in GLSA status, but rather unconfirmed (NEW). Clearing status whiteboard.
Looking at icecast 2.x source code, they can't be vulnerable to the exact same issue since the CGIs were rewritten as XSL thingies and the affected code does not exist anymore. They may be riddled by XSS vulnerabilities, but not by this exact one. I will close this one as WONTFIX (1.x series is already security-deprecated by an old GLSA) if nobody complains and/or brings evidence icecast 2 is vulnerable too. We could always repoen the bug if something appears in icecast next version.
Although I don't believe that icecast 2 is affected, OSVDB had it listed, so I asked about it... here is the reply: : Hi, : : in the products section you list "Icecast Icecast 2.0.1", the Debian : advisory is about 1.3.11 though and securitytracker.com says : "Version(s): 1.3.12 and prior versions (it is not clear if version 2.0.x : is affected or not) " (s. <http://securitytracker.com/id?1011046>). So I : was wondering if you any have confirmation yet, that the vulnerability : exists in 2.0.x versions too. Not specifically. Debian appears to use their own version scheme for this package, as they do with many others. Based on the date of the advisory, 2.0.1 is the current release according to the Icecast home page. It stands to reason that all versions up to Aug 24, 2004 would be affected, or at least the current versions on that date. Since Debian released 1.3.11-4.2, and that doesn't correspond with any past releases of Icecast, it suggests that the original is still affected. http://svn.xiph.org/releases/icecast/ This is one of those times where we are operating off dates more than specific version numbers given Linux distribution version schemes. Brian OSVDB.org
I disagree with Brian@OSVDB. Debian does not have a specific 1.x version number that would in fact be a 2.x. They really still have the old version in their package tree, with the usual Debian patchset subversion. Their security patch applies to that 1.* version, but cannot apply to the 2.* version since it's a serious rewrite. Looking at the patch and the 2.x sources, there might be XSS vulns in the 2.x code, but it's clearly not the same vulnerability. I can't spend more time auditing icecast sources. OSVDB shouldn't operate from dates. They should operate by looking at the source code and doublecheck that Debian version number is indeed the same as Icecast official versions. vorlon: please forward me the answer so that I can reply to it :)
Closing this one as it 's about Icecast 1 and it's already deprecated by another GLSA. If someone gets evidence that Icecast 2 is vulnerable, please reopen or file another bug.
Posted a request to the icecast-dev mailing list and got the following to replies: On 09/03/04 06:07, Michael Smith wrote: > On Thursday 02 September 2004 18:33, Matthias Geerdsen wrote: > >>Hi, >> >>since Icecast <=1.3.12 has been affected by a cross-site scripting >>vulnerability in the status display (s. >><http://securitytracker.com/alerts/2004/Aug/1011046.html> and >><http://www.debian.org/security/2004/dsa-541>) it appears to be unclear >>so far if Icecast 2.x is vulnerable too. Can anyone of you maybe confirm >>it is affected/not affected? >> >>Regards, >> Matthias > > > It is possible (but unlikely, I think - we've generally been careful about > this sort of thing) that icecast 2.x is vulnerable to problems of a similar > _type_ to this. However, 2.x cannot be vulnerable to this _specific_ problem, > since it's a completely different codebase. > > Mike > On 09/03/04 05:21, Geoff Shang wrote: > Hi: > > Icecast 2.x is a complete rewrite, so any bugs in icecast 1.x are not > necessarily present in version 2. This is not to say that the bug > doesn't exist, just that it doesn't exist by virtue of having inherited > it from icecast 1. > > Note that I'm not a developer so I can't answer your question as such. > Maybe try to reproduce the bug? > > Geoff. > > _______________________________________________ > Icecast-dev mailing list > Icecast-dev@xiph.org > http://lists.xiph.org/mailman/listinfo/icecast-dev
