Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 50935 - net-misc/icecast : basic authentication denial of service in 2.0
Summary: net-misc/icecast : basic authentication denial of service in 2.0
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: GLSA Errors (show other bugs)
Hardware: All All
: Highest normal (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/11578/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-05-13 07:01 UTC by Paul Slinski
Modified: 2004-05-19 10:49 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---
koon: Assigned_To? (koon)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Paul Slinski 2004-05-13 07:01:35 UTC
A vulnerability in Icecast, can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an out-of-bounds read error within the web interface when handling Basic Authorization requests. This can be exploited to crash the application by passing a specially crafted, overly long string (about 3000 bytes) in a "Authorization:" header.

The vulnerability has been confirmed in version 2.0.0 for Windows. Other versions may also be affected.

Reproducible: Always
Steps to Reproduce:
1.
2.
3.




Icecast 2.0.1 has been released to plug the hole

See http://secunia.com/advisories/11578/ for the advisory.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-05-13 08:53:59 UTC
Like the Xiph guys say, "this release contains ONLY the fix for this issue" so it shouldn't be a painful upgrade.

Sound guys, could you bump the ebuild to 2.0.1 ?
Comment 2 Martin Holzer (RETIRED) gentoo-dev 2004-05-13 09:24:53 UTC
2.0.1 is in cvs
Comment 3 Kurt Lieber (RETIRED) gentoo-dev 2004-05-13 10:34:00 UTC
x86, sparc, amd64, please test/mark stable.
Comment 4 Jon Portnoy (RETIRED) gentoo-dev 2004-05-13 10:49:43 UTC
Stable on x86 + amd64
Comment 5 Jason Wever (RETIRED) gentoo-dev 2004-05-15 12:31:37 UTC
Already marked stable on sparc, but tested here and it's good to go.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2004-05-18 06:49:39 UTC
GLSA draft in progress
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2004-05-19 10:49:16 UTC
GLSA 200405-10