Summary: | <net-misc/icecast-2.3.3: new line injection into log (CVE-2011-4612) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Petr Pisar <petr.pisar> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | barzog, hwoarang, sound |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B4 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 430434 | ||
Bug Blocks: |
Description
Petr Pisar
2011-12-15 19:08:02 UTC
Thanks for the bug, Petr. I was able to reproduce the fake log file with the same info as referenced here: https://bugs.launchpad.net/ubuntu/+source/icecast2/+bug/894782 netcat must be installed of course Any news? Because 2.3.3 is released. The 2.3.3 fixes this issue: r18355 | dm8tbr | 2012-06-07 17:57:11 +0200 (Čt, 07 čen 2012) | 3 lines This is part of the patch-set addressing CVE-2011-4612. 2.3.3 now in portage. I can only do a limited testing on my webserver so please give it a try (or please ATs, test as much as you can) before marking it stable. (In reply to comment #5) > 2.3.3 now in portage. I can only do a limited testing on my webserver so > please give it a try (or please ATs, test as much as you can) before marking > it stable. Thanks, Markos. Arches, please test and mark stable: =net-misc/icecast-2.3.3 Target KEYWORDS: "alpha amd64 ppc ppc64 sparc x86" I stumbled upon bug 430434. x86 done, thanks! ppc done amd64 done alpha/sparc keywords dropped + 18 Sep 2012; Kacper Kowalik <xarthisius@gentoo.org> icecast-2.3.3.ebuild: + ppc64 stable wrt #394847, add missing inherit of user.eclass and explicit + RDEPEND ppc64 stable, last arch done Thanks, everyone. GLSA vote: no. Thanks, folks. GLSA Vote: No, tool, closing. CVE-2011-4612 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4612): icecast before 2.3.3 allows remote attackers to inject control characters such as newlines into the error loc (error.log) via a crafted URL. |