Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 530784 (CVE-2014-9091) - <net-misc/icecast-2.4.1: supplementary groups are not overriden (CVE-2014-9091)
Summary: <net-misc/icecast-2.4.1: supplementary groups are not overriden (CVE-2014-9091)
Alias: CVE-2014-9091
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa]
Depends on:
Reported: 2014-11-26 16:24 UTC by Agostino Sarubbo
Modified: 2014-12-26 01:11 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-11-26 16:24:46 UTC
From ${URL} :

It was found that when the UID and GID were changed in the <changeowner> section of the 
/etc/icecast.xml file, the supplementary groups were left in place. This could allow an attacker to 
escalate their privileges if the <changeowner> configuration was used.

The following fix was added to icecast version 2.4.0:

In case of <changeowner> only UID and GID were changed, supplementary groups were left in place. 
This is a potential security issue only if <changeowner> is used. New behaviour is to set UID, GID 
and set supplementary groups based on the UID Even in case of icecast remaining in supplementary 
group 0 this "only" gives it things like access to files that are owned by group 0 and according to 
their umask. This is obviously bad, but not as bad as UID 0 with all its other special rights. It's 
a security issue and we fix immediately and recommend users to update.

Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2014-12-06 09:38:07 UTC
+  06 Dec 2014; Lars Wendler <> -icecast-2.3.3-r2.ebuild,
+  -icecast-2.3.3-r3.ebuild, -icecast-2.4.0.ebuild, -files/init.d.icecast,
+  metadata.xml:
+  Removed vulnerable versions. Took over maintenance.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2014-12-12 05:10:35 UTC
CVE-2014-9091 (
  Icecast before 2.4.0 does not change the supplementary group privileges when
  <changeowner> is configured, which allows local users to gain privileges via
  unspecified vectors.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2014-12-12 05:15:38 UTC
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2014-12-26 01:11:08 UTC
This issue was resolved and addressed in
 GLSA 201412-38 at
by GLSA coordinator Sean Amoss (ackle).