Bug 136721

Summary:	media-sound/shoutcast-server-bin Arbitrary file read
Product:	Gentoo Security	Reporter:	Peter Kosinar <goober>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	eradicator, sound
Priority:	High
Version:	unspecified
Hardware:	x86
OS:	Linux
URL:	http://people.ksp.sk/~goober/advisory/001-shoutcast.html
Whiteboard:	B4 [glsa] DerCorny
Package list:		Runtime testing required:	---

Description Peter Kosinar 2006-06-13 16:51:22 UTC

Shoutcast server 1.9.5 allows any remote attacker who can reach the server's port to read arbitrary files on the machine. Sample request can be obtained using the following command:

echo -e "GET /content/%2E./.%2E/%2E%2E/etc/shadow%00.mp3\n"

which, when piped through netcat to the listening Shoutcast server, should show the contents of /etc/shadow file. The complete advisory (written for a different target audience, though; so it contains some uninteresting details) can be found at http://people.ksp.sk/~goober/advisory/001-shoutcast.html

The vendor (Nullsoft) has NOT been contacted yet, for I failed to find any security contact and didn't feel very much like posting this information to their public forums.

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-06-14 02:56:02 UTC

Jeremy you touched this one before Chris White. Could you please advise?

@Peter is link public?

Comment 2 Peter Kosinar 2006-06-14 04:09:23 UTC

No, the link is not public and will not become public until the vulnerability is resolved.

Comment 3 Jeremy Huddleston (RETIRED) gentoo-dev

2006-06-16 12:57:01 UTC

Well, this is a binary package.  We can't do anything until upstream releases a new version.  The workarounds are valid, but we can't really force that on users as I'm sure many won't want to not run it in a chroot jail.

As for executing as a unpriv user, that's a good idea in general, and I don't see why that wasn't the case already.

We need to notify upstream.  I'd look for personal contact info for the developers.  Additionally, I believe NullSoft is still owned by AOL, so you might be able to contact AOL's security team for the contact information.

Comment 4 Peter Kosinar 2006-06-22 15:32:25 UTC

The upstream released a new version for Linux today. Preliminary tests show that the original vulnerability is no longer present, but the changes introduced a new, very similar one. Thus, the actual version (1.9.6) is NOT safe yet.

Comment 5 Stefan Cornelius (RETIRED) gentoo-dev

2006-06-22 15:42:20 UTC

Peter, is upstream informed that it's still flawed?

Comment 6 Peter Kosinar 2006-06-22 15:57:47 UTC

Yes, the vendor has been notified a few minutes ago.

Comment 7 Peter Kosinar 2006-06-23 13:00:33 UTC

Okay, upstream released 1.9.7 today, vulnerabilities (original one + the new ones caused by the first fix) are apparently fixed.

Comment 8 Stefan Cornelius (RETIRED) gentoo-dev

2006-06-24 07:34:19 UTC

eradicator, please bump. Shoutcast mentioned the security issues on their homepage and their board, so this is public. Peter, may we open this bug to the public, too?

Comment 9 Peter Kosinar 2006-06-24 07:48:53 UTC

As the fixed version is available, I see no problems with opening it.

Comment 10 Jeremy Huddleston (RETIRED) gentoo-dev

2006-06-24 22:26:25 UTC

I am on vacation in Hawaii and don't have access to my box to test the new software.

Comment 11 Jeremy Huddleston (RETIRED) gentoo-dev

2006-06-24 22:42:41 UTC

I am on vacation in Hawaii and don't have access to my box to test the new software.

sound: Can someone please bump this and test it?

Comment 12 Stefan Cornelius (RETIRED) gentoo-dev

2006-06-25 06:49:45 UTC

amd64 and x86 please test and mark stable, but beware: i haven't slept for 30h

Comment 13 Raúl Porcel (RETIRED) gentoo-dev

2006-06-28 13:48:27 UTC

Tested in x86 and works pretty fine, i'm listening right now my music.
Should be marked as stable.

Comment 14 Chris Gianelloni (RETIRED) gentoo-dev

2006-06-29 12:26:44 UTC

Stable on amd64/x86... thanks for testing...

Comment 15 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-06-30 08:47:09 UTC

This one is ready for GLSA decision.

Comment 16 Stefan Cornelius (RETIRED) gentoo-dev

2006-06-30 08:55:20 UTC

mhh, weak yes, but i wouldn't mind a no

Comment 17 Stefan Cornelius (RETIRED) gentoo-dev

2006-06-30 08:55:46 UTC

mhh, weak yes, but i wouldn't mind a no

Comment 18 Wolf Giesen (RETIRED) gentoo-dev

2006-06-30 09:17:56 UTC

Kinda silly, but YES.

Comment 19 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-06-30 09:19:26 UTC

Voting yes, so let's have a GLSA more.

Comment 20 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-07-09 10:37:19 UTC

GLSA 200607-05