Summary: | media-sound/shoutcast-server-bin Arbitrary file read | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Peter Kosinar <goober> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | eradicator, sound |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | x86 | ||
OS: | Linux | ||
URL: | http://people.ksp.sk/~goober/advisory/001-shoutcast.html | ||
Whiteboard: | B4 [glsa] DerCorny | ||
Package list: | Runtime testing required: | --- |
Description
Peter Kosinar
2006-06-13 16:51:22 UTC
Jeremy you touched this one before Chris White. Could you please advise? @Peter is link public? No, the link is not public and will not become public until the vulnerability is resolved. Well, this is a binary package. We can't do anything until upstream releases a new version. The workarounds are valid, but we can't really force that on users as I'm sure many won't want to not run it in a chroot jail. As for executing as a unpriv user, that's a good idea in general, and I don't see why that wasn't the case already. We need to notify upstream. I'd look for personal contact info for the developers. Additionally, I believe NullSoft is still owned by AOL, so you might be able to contact AOL's security team for the contact information. The upstream released a new version for Linux today. Preliminary tests show that the original vulnerability is no longer present, but the changes introduced a new, very similar one. Thus, the actual version (1.9.6) is NOT safe yet. Peter, is upstream informed that it's still flawed? Yes, the vendor has been notified a few minutes ago. Okay, upstream released 1.9.7 today, vulnerabilities (original one + the new ones caused by the first fix) are apparently fixed. eradicator, please bump. Shoutcast mentioned the security issues on their homepage and their board, so this is public. Peter, may we open this bug to the public, too? As the fixed version is available, I see no problems with opening it. I am on vacation in Hawaii and don't have access to my box to test the new software. I am on vacation in Hawaii and don't have access to my box to test the new software. sound: Can someone please bump this and test it? amd64 and x86 please test and mark stable, but beware: i haven't slept for 30h Tested in x86 and works pretty fine, i'm listening right now my music. Should be marked as stable. Stable on amd64/x86... thanks for testing... This one is ready for GLSA decision. mhh, weak yes, but i wouldn't mind a no mhh, weak yes, but i wouldn't mind a no Kinda silly, but YES. Voting yes, so let's have a GLSA more. GLSA 200607-05 |