Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 530784 (CVE-2014-9091)

Summary: <net-misc/icecast-2.4.1: supplementary groups are not overriden (CVE-2014-9091)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: polynomial-c
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1168146
Whiteboard: B1 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2014-11-26 16:24:46 UTC
From ${URL} :

It was found that when the UID and GID were changed in the <changeowner> section of the 
/etc/icecast.xml file, the supplementary groups were left in place. This could allow an attacker to 
escalate their privileges if the <changeowner> configuration was used.

The following fix was added to icecast version 2.4.0:

In case of <changeowner> only UID and GID were changed, supplementary groups were left in place. 
This is a potential security issue only if <changeowner> is used. New behaviour is to set UID, GID 
and set supplementary groups based on the UID Even in case of icecast remaining in supplementary 
group 0 this "only" gives it things like access to files that are owned by group 0 and according to 
their umask. This is obviously bad, but not as bad as UID 0 with all its other special rights. It's 
a security issue and we fix immediately and recommend users to update.

References:
http://icecast.org/news/icecast-release-2_4_0/
https://trac.xiph.org/changeset/19137/
http://seclists.org/oss-sec/2014/q4/802
Comment 1 Lars Wendler (Polynomial-C) gentoo-dev 2014-12-06 09:38:07 UTC
+  06 Dec 2014; Lars Wendler <polynomial-c@gentoo.org> -icecast-2.3.3-r2.ebuild,
+  -icecast-2.3.3-r3.ebuild, -icecast-2.4.0.ebuild, -files/init.d.icecast,
+  metadata.xml:
+  Removed vulnerable versions. Took over maintenance.
+
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2014-12-12 05:10:35 UTC
CVE-2014-9091 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9091):
  Icecast before 2.4.0 does not change the supplementary group privileges when
  <changeowner> is configured, which allows local users to gain privileges via
  unspecified vectors.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2014-12-12 05:15:38 UTC
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2014-12-26 01:11:08 UTC
This issue was resolved and addressed in
 GLSA 201412-38 at http://security.gentoo.org/glsa/glsa-201412-38.xml
by GLSA coordinator Sean Amoss (ackle).