Debian Bug report logs - #782120
icecast2: icecast can be remotely killed by anyone if using <authentication type="url"> and stream_auth option (CVE-2015-3026)

Package: icecast2; Maintainer for icecast2 is Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>; Source for icecast2 is src:icecast2 (PTS, buildd, popcon).

Reported by: Juliane Holzt <juliane@holzt.de>

Date: Wed, 8 Apr 2015 06:09:01 UTC

Severity: important

Tags: fixed-upstream, security, upstream

Found in versions icecast2/2.3.3-1, icecast2/2.4.0-1.1

Fixed in versions icecast2/2.4.2-1, icecast2/2.4.0-1.1+deb8u1

Done: Unit 193 <unit193@ubuntu.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#782120; Package icecast2. (Wed, 08 Apr 2015 06:09:07 GMT) (full text, mbox, link).

Acknowledgement sent to Juliane Holzt <juliane@holzt.de>:
New Bug report received and forwarded. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. (Wed, 08 Apr 2015 06:09:07 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: icecast2
Version: 2.4.0-1.1
Severity: important

icecast can be killed by anyone with a simple HTTP request when
<authentication type="url"> is used and a stream_auth handler is
defined.

Example configuration:

<mount>
  <mount-name>/test</mount-name>
  <authentication type="url">
    <option name="stream_auth" value="http://127.0.0.1/bla"/>
  </authentication>
</mount>

(Note: It does not matter where the URL for stream_auth points to,
if it is reachable or not. Actually icecast dies before even
accessing that URL.)

Given the above configuration anyone can now easily kill icecast
by this command:

wget http://<servername>:8000/admin/killsource?mount=/test

This only happens when making a request WITHOUT login credentials.

I'm marking this bug important but it might justify a higher
severity. With this security problem the package appears unfit
for release.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#782120; Package icecast2. (Wed, 08 Apr 2015 08:45:05 GMT) (full text, mbox, link).

Acknowledgement sent to Thomas Ruecker <thomas+debian@ruecker.fi>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. (Wed, 08 Apr 2015 08:45:05 GMT) (full text, mbox, link).

Message #10 received at 782120@bugs.debian.org (full text, mbox, reply):

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We became aware minutes after the bug was filed (Thanks Ukikie).
We've discussed this with Juliane, reproduced it and are working on a
fix and release.
Details later today.


Thomas Ruecker
Icecast maintainer / Xiph.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlUk6MsACgkQfkVKO9VkYGkFEACeOGULWCqTlrQVGgdOy1SWe4Yt
V68An0DXaQNVrgB2xQn4XlVBOLs58gfk
=Ftrl
-----END PGP SIGNATURE-----

Acknowledgement sent to "Thomas B. Rücker" <thomas@ruecker.fi>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. (Wed, 08 Apr 2015 15:18:05 GMT) (full text, mbox, link).

Message #15 received at 782120@bugs.debian.org (full text, mbox, reply):

We've released 2.4.2, which fixes this and should also address possible
other similar issues.

http://lists.xiph.org/pipermail/icecast-dev/2015-April/002460.html

We're currently waiting for the CVE ID from MITRE.

Thanks again to Juliane for bringing this up and discussing further
details with us.


Thomas B. Rücker
Icecast maintainer

Added tag(s) upstream, security, and fixed-upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 08 Apr 2015 18:39:04 GMT) (full text, mbox, link).

Changed Bug title to 'icecast2: icecast can be remotely killed by anyone if using <authentication type="url"> and stream_auth option (CVE-2015-3026)' from 'icecast2: icecast can be remotely killed by anyone if using <authentication type="url"> and stream_auth option' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 09 Apr 2015 04:33:04 GMT) (full text, mbox, link).

Marked as found in versions icecast2/2.3.3-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 09 Apr 2015 18:30:04 GMT) (full text, mbox, link).

Reply sent to Unit 193 <unit193@ubuntu.com>:
You have taken responsibility. (Wed, 29 Apr 2015 10:51:26 GMT) (full text, mbox, link).

Notification sent to Juliane Holzt <juliane@holzt.de>:
Bug acknowledged by developer. (Wed, 29 Apr 2015 10:51:26 GMT) (full text, mbox, link).

Message #26 received at 782120-close@bugs.debian.org (full text, mbox, reply):

Source: icecast2
Source-Version: 2.4.2-1

We believe that the bug you reported is fixed in the latest version of
icecast2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 782120@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Unit 193 <unit193@ubuntu.com> (supplier of updated icecast2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 29 Apr 2015 11:46:31 +0200
Source: icecast2
Binary: icecast2
Architecture: source amd64
Version: 2.4.2-1
Distribution: unstable
Urgency: high
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Unit 193 <unit193@ubuntu.com>
Description:
 icecast2   - streaming media server
Closes: 692970 740667 767542 779968 782120
Changes:
 icecast2 (2.4.2-1) unstable; urgency=high
 .
   * Imported Upstream version 2.4.2 (Closes: #779968)
     - Set PATH_MAX to 4096 if not defined (Closes: #767542)
     - Fix crash with stream_auth (Closes: #782120, fixes: CVE-2015-3026)
   * Update upstream-tarball hints for new upstream source.
   * d/copyright, d/copyright_hints: Update for new upstream release.
   * ACK NMU by Simon Richter, thanks.
   * Debconf translation: Japanese, victory (Closes: #692970)
   * Relax debhelper compat level to 8 for easier backporting.
   * d/rules: Remove extra changelog.
   * d/icecast2.postinst: Change ed calls to sed. (Closes: #740667)
   * Update standards version to 3.9.6.
Checksums-Sha1:
 423ccd9e20857719f7cceed9c93c14f3aa90c98c 2309 icecast2_2.4.2-1.dsc
 57a092302ab8aa4993fa280f299c099d25e875a5 2388381 icecast2_2.4.2.orig.tar.gz
 a99d2cfe3b477d29b3b061013700b3bcc7e7e4e9 32092 icecast2_2.4.2-1.debian.tar.xz
 5203ed0056249c52a739d39b0a5e7af9d299a2d5 1540232 icecast2_2.4.2-1_amd64.deb
Checksums-Sha256:
 91e6cc17e090239c9b3cb6c28be4acecd691e523be4f8c00545777737a2ebd37 2309 icecast2_2.4.2-1.dsc
 aa1ae2fa364454ccec61a9247949d19959cb0ce1b044a79151bf8657fd673f4f 2388381 icecast2_2.4.2.orig.tar.gz
 1bd3cae7611a98dd66b2eb74d1d695e8d819eb8297c757c8637eaace6d513c56 32092 icecast2_2.4.2-1.debian.tar.xz
 8575c768a11da245e48007a41e2899aad10936d6f34f5c00e01c0bdea7f6e525 1540232 icecast2_2.4.2-1_amd64.deb
Files:
 52068952cd711c9dcdbe9d592a091176 2309 sound optional icecast2_2.4.2-1.dsc
 55947c83d31dfcbbede58c9521c676f4 2388381 sound optional icecast2_2.4.2.orig.tar.gz
 788d03d8d4c70d56db07927ee3f73b9f 32092 sound optional icecast2_2.4.2-1.debian.tar.xz
 6c92b60f768353e8f1c717634d4a6bea 1540232 sound optional icecast2_2.4.2-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVQKtsAAoJEK+lG9bN5XPLuuIQAJ5DA41ErX9LrmvwOVaQ+RlW
iCaJyUJJ2PuWLiPXsDS39lxjwtqVLrXLoczmzumVFeZ64OLzDPPnP4yp77Y2Ek1C
cInljXOBccNoq1smVjdFigaOGG7PAnkYFHe+5u0x4FPBVfrARlEprbcAbXtSAWeK
HOMdgBEOC25CvP6yX16rgQLA4gsmFXBcbptpG7gZUbG0yTdT1R5Of5udFs8dCfx9
z5RTk1c69kl+/Y3CGKg+hgduExqJbeXv7ctpZ1EmQRHa6rPG7ahDwq6GLamRt18W
mAJXINO+DFIxFMCr9HnIjETk9mv+JGAhW6QbB7NJsMpX7UIF5zHWJ562y6KxPENQ
qhOatCVLL/mPGiq87iNVNuw1DboTMN9WgWpJ4O2WJF70k5qH3jktFUuuoa9Q0S35
tEJOmHQZcOnrU+t6+yKBeIJ+S9UWKg0drdCgOFYim+HqcAO0W+4t/bpMul50IxQY
oup90X3K07WXoc4d7arDxaSZxWecLEo22rhTotyj3taNdBZZS93kC2cg9SOWZH3e
++JOrc9HfBnjPQ9YUHtPN7x9eP1rkCsMSEXIkT24CqdhWfvG287O1qw8yptlKhmv
RATn263QQbj0Wcp2htbbglqhjoa+3HVAjgLJTS00nOhq+acdwi2jG9WdzrJdfy8V
HTOaDnYYLVAdltp0Zic8
=lkjp
-----END PGP SIGNATURE-----

Reply sent to Unit 193 <unit193@ubuntu.com>:
You have taken responsibility. (Thu, 30 Apr 2015 18:48:25 GMT) (full text, mbox, link).

Notification sent to Juliane Holzt <juliane@holzt.de>:
Bug acknowledged by developer. (Thu, 30 Apr 2015 18:48:25 GMT) (full text, mbox, link).

Message #31 received at 782120-close@bugs.debian.org (full text, mbox, reply):

Source: icecast2
Source-Version: 2.4.0-1.1+deb8u1

We believe that the bug you reported is fixed in the latest version of
icecast2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 782120@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Unit 193 <unit193@ubuntu.com> (supplier of updated icecast2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 28 Apr 2015 16:25:58 -0400
Source: icecast2
Binary: icecast2
Architecture: source amd64
Version: 2.4.0-1.1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Unit 193 <unit193@ubuntu.com>
Description:
 icecast2   - streaming media server
Closes: 782120
Changes:
 icecast2 (2.4.0-1.1+deb8u1) jessie-security; urgency=high
 .
   * This fixes a crash (NULL reference) in case URL Auth is used
     and stream_auth is trigged with no credentials passed by the client.
     Username and password is now set to empty strings and transmited to
     the backend server this way. (Closes: #782120, fixes CVE-2015-3026)
Checksums-Sha1:
 6e9527155c0048dd8c1802e7f5cd7f639af3f7ae 2345 icecast2_2.4.0-1.1+deb8u1.dsc
 45bd403c2b1d6f1250216cd3a0447d41f979c348 1087795 icecast2_2.4.0.orig.tar.gz
 321ebb03bbd744f70bbf056a0d3c6c3e6a430769 29592 icecast2_2.4.0-1.1+deb8u1.debian.tar.xz
 c111c2604f993416384fc7d58eaa8460464c2a8e 277478 icecast2_2.4.0-1.1+deb8u1_amd64.deb
Checksums-Sha256:
 f8ffc26abe6e51f96a8013e1877be88a03169389fc79e7a7fa58bf92871afd11 2345 icecast2_2.4.0-1.1+deb8u1.dsc
 17b7e957e1b16a576efaabd69c15126e84ce98d3791ccee4546b72c0c6460f32 1087795 icecast2_2.4.0.orig.tar.gz
 895acd7bd62ab3fa83bcd254335f83d89c76ef30b06df71cc4316c459ae767ca 29592 icecast2_2.4.0-1.1+deb8u1.debian.tar.xz
 9162b6c388649240e6b062d9d492712526aa5e99830fd77141beedf1e2e7843a 277478 icecast2_2.4.0-1.1+deb8u1_amd64.deb
Files:
 53563ee8b987f06581f9b9fffc89d337 2345 sound optional icecast2_2.4.0-1.1+deb8u1.dsc
 bb00bfc0d6d2dde24974641085602b81 1087795 sound optional icecast2_2.4.0.orig.tar.gz
 726dc90c578d792542bb9423795a20ef 29592 sound optional icecast2_2.4.0-1.1+deb8u1.debian.tar.xz
 fc3f92a0d4d89f141531d1f169592c3e 277478 sound optional icecast2_2.4.0-1.1+deb8u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVQK1GAAoJEK+lG9bN5XPLDakP+gNvOq9pkgR8Tp84oxEL9ITs
GC7ozXVOZjLlweiBHB5ttoYkV49gz/eDxqAZkFpwapg3NG8o/Sb3UDBb1iSZ1Ab8
mT74eBBNpoZKWQ21daw8EeMtq5g7FPmTol/6dhkWn4n3QdcGzJPzzKw+YLokV5cF
FzCvKaMWIQikuYWyCaVxQyn/eCkMDxXyZIVbHCvH9mT8QNRXm7oSQ4oS8668SbaH
0BHv/cohHJaeE1C6gEDenhgxh1sUDC67uhr0NVWlDi2XQszD5JnfK9xy+xYVmymn
9MtZBgHMd0zmzaVpNZ41/THiB+/hh1DK2SGTfzsG7OAdr22wEo0Cni1B7gTaCnye
/bcziqMtWCnh8Iac3JDawi9rlhbzOCyTonH9EZ7vBe0HMBjnu/ohAqmojTAqgi9X
5vP+FNogSReVjOipFxjS/INvlEljPCwzt/NWG7Hr9wGX8DkcZ8eaE+aYNdPjUz1P
bKHKodVSmziCw5CSZ4xiLtKycuNildSJAM8rzdrUDoDRBVZW+avGHnZEHcV/zZ4/
zAv3InUPImcXluNgDHwZ+NLkf5nSJsL10R4GijYAu+QHk3W/swKwstj/Y3YagIgc
EqVgDW8dknRD2hxBuDpLvpNOMathEu6Acnopc/Y4p+6zvjr9lln1+rSKtiLbmIf6
nw1l+VxExCJXc6Yw29FE
=6hpW
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 30 May 2015 07:30:36 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Jan 4 13:23:09 2018; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #782120 icecast2: icecast can be remotely killed by anyone if using <authentication type="url"> and stream_auth option (CVE-2015-3026)

Debian Bug report logs - #782120
icecast2: icecast can be remotely killed by anyone if using <authentication type="url"> and stream_auth option (CVE-2015-3026)