Jamie Strandboge <firstname.lastname@example.org> reported to icecast developers (CCing <email@example.com>) about possibility to inject fake message into icecast error log by specially crafted HTTP request sent to icecast server port discovered by Moritz Naumann:
"Newline injection in error.log
Running this command against an icecast2 running on 127.0.0.1...
echo -ne "GET /non-existent"'"'"%20No%20such%20file%20or%20directory%0d%
20"'"'"/usr/share/icecast2/web/ HTTP/1.0\n\n" | nc -vv 127.0.0.1 8000
...causes the following to be written to /var/log/icecast2/error.log:
[2011-11-25 15:37:31] INFO fserve/fserve_client_create checking for
file /non-existent" No such file or directory
[1970-01-01 00:00:00] PHUN I'm feeling phunny
Upstream responded fixing 2.3.3 version would be released soon.
Thanks for the bug, Petr.
I was able to reproduce the fake log file with the same info as referenced here:
netcat must be installed of course
Any news? Because 2.3.3 is released.
The 2.3.3 fixes this issue:
r18355 | dm8tbr | 2012-06-07 17:57:11 +0200 (Čt, 07 čen 2012) | 3 lines
This is part of the patch-set addressing CVE-2011-4612.
2.3.3 now in portage. I can only do a limited testing on my webserver so please give it a try (or please ATs, test as much as you can) before marking it stable.
(In reply to comment #5)
> 2.3.3 now in portage. I can only do a limited testing on my webserver so
> please give it a try (or please ATs, test as much as you can) before marking
> it stable.
Arches, please test and mark stable:
Target KEYWORDS: "alpha amd64 ppc ppc64 sparc x86"
I stumbled upon bug 430434.
x86 done, thanks!
alpha/sparc keywords dropped
+ 18 Sep 2012; Kacper Kowalik <firstname.lastname@example.org> icecast-2.3.3.ebuild:
+ ppc64 stable wrt #394847, add missing inherit of user.eclass and explicit
ppc64 stable, last arch done
GLSA vote: no.
Thanks, folks. GLSA Vote: No, tool, closing.
icecast before 2.3.3 allows remote attackers to inject control characters
such as newlines into the error loc (error.log) via a crafted URL.