[arch-security] [Arch Linux Security Advisory ASA-201411-32] icecast: information leak

Remi Gacogne rgacogne at archlinux.org
Fri Nov 28 08:54:54 UTC 2014


Arch Linux Security Advisory ASA-201411-32
==========================================

Severity: Critical
Date    : 2014-11-28
CVE-ID  : CVE-2014-9018
Package : icecast
Type    : information leak
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE-2014

Summary
=======

The package icecast before version 2.4.1-1 is vulnerable to information
leak.

Resolution
==========

Upgrade to 2.4.1-1.

# pacman -Syu "icecast>=2.4.1-1"

The problem has been fixed upstream in version 2.4.1.

Workaround
==========

Disable on-connect and on-disconnect scripts.

Description
===========

It was reported that Icecast could possibly leak the contents of
on-connect scripts to clients, which may contain sensitive information.

If on-connect/on-disconnect scripts are used, file descriptors of the
server process remain open and could be written to or read from. Most
pressing STDIN, STDOUT, STDERR are handled.
Further all file descriptors up to 1024 are closed. There is a remaining
(much lower) risk in combination of either a malicious or susceptible
script and FDs above 1024.

Impact
======

A remote attacker may be able to extract sensitive information from the
process memory, including but not limited to passwords.

References
==========

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9018
http://icecast.org/news/icecast-release-2_4_1/
https://trac.xiph.org/ticket/2087
https://bugs.archlinux.org/task/42912
http://seclists.org/oss-sec/2014/q4/716

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20141128/3e67f259/attachment.bin>


More information about the arch-security mailing list