Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 670148 (CVE-2018-18820) - <net-misc/icecast-2.4.4: buffer overflows in URL auth code (CVE-2018-18820)
Summary: <net-misc/icecast-2.4.4: buffer overflows in URL auth code (CVE-2018-18820)
Alias: CVE-2018-18820
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa+ cve]
Depends on:
Reported: 2018-11-02 16:32 UTC by Lars Wendler (Polynomial-C)
Modified: 2018-11-10 00:27 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Lars Wendler (Polynomial-C) gentoo-dev 2018-11-02 16:32:33 UTC
Icecast 2.4.4
We are releasing Icecast 2.4.4, an important bugfix-only release.
We recommend upgrading for increased stability and compatibility!
A summary of the changes is listed below, for details please refer
to the ChangeLog

## Fixes

- Fix: Fixed segfault in htpasswd auth if no filename is set
- Fix: Do not report hashed user passworts in user list.
- Fix two mistakes in the default config's comments
- Add log message for succesful streamlist requests
- Fix: update_from_master() for receiving HTTP/1.1
- Fix: Spelling, thanks to Ukikie
- Fix: Fixed a segfault when xsltApplyStylesheet() returns error
- Fix: Do not segfaul on bad Opus streams
- Fix: Corrected response and fixed TLS for 416 Request Range Not Satisfiable 
- Fix: TLS for ICECAST_PROTOCOL_SHOUTCAST source clients
  and investigating the bug.
- Fix: global listener count could be negative under certain circumstances
  Thanks a lot to Simeon Völkel (0xBD4E031CDB4043C9) for reporting
  and investigating the bug.
- Fix: Send "Content-Length: 0" on 100-continue
- Fix: Do not send 100-continue in plain text over TLS sockets
- Fix: Added needed code to announce Opus streams as such to yp.
- Fix: Avoid invalid locking in signal handlers.
- Workaround: avoid libspeex printing warnings on Opus streams.
- Fix: Fixed regression introduced by r19250.
  The fix checks if the source client is actually
  known before printing it's IP-Address.
- Fix: do not allow unescaped strings in XML output.

## Known issues

-   HTTP PUT implementation currently doesn't support chunked encoding yet.
-   HTTP PUT with "Expect: 100-Continue" receives first a "100" and soon
    after a "200", instead of the "200" at the end of transmission.
-   Caution should be exercised when using `<on-connect>` or
    `<on-disconnect>`, as there is a small chance of stream file descriptors
    being mixed up with script file descriptors, if the FD numbers go above
    1024. This will be further addressed in the next Icecast release.
-   Don't use comments inside `<http-headers>` as it will
    prevent processing of further `<header>` tags.
-   Webinterface shows Login when using just `stream_auth`.
Comment 1 Thomas Deutschmann gentoo-dev Security 2018-11-04 19:14:27 UTC
x86 stable
Comment 2 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2018-11-05 19:02:20 UTC
amd64 stable
Comment 3 Sergei Trofimovich (RETIRED) gentoo-dev 2018-11-05 22:56:05 UTC
ppc64 stable
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2018-11-08 08:10:15 UTC
ppc stable
Comment 5 Larry the Git Cow gentoo-dev 2018-11-08 09:18:00 UTC
The bug has been referenced in the following commit(s):

commit 9ff3af5be94d2f44735a2f50c015693b8d714894
Author:     Lars Wendler <>
AuthorDate: 2018-11-08 09:17:48 +0000
Commit:     Lars Wendler <>
CommitDate: 2018-11-08 09:17:48 +0000

    net-misc/icecast: Security cleanup.
    Package-Manager: Portage-2.3.51, Repoman-2.3.12
    Signed-off-by: Lars Wendler <>

 net-misc/icecast/Manifest             |  1 -
 net-misc/icecast/icecast-2.4.3.ebuild | 91 -----------------------------------
 2 files changed, 92 deletions(-)
Comment 6 Thomas Deutschmann gentoo-dev Security 2018-11-08 14:04:07 UTC
New GLSA request filed.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2018-11-10 00:27:32 UTC
This issue was resolved and addressed in
 GLSA 201811-09 at
by GLSA coordinator Thomas Deutschmann (whissi).