[arch-security] [Arch Linux Security Advisory ASA-201411-32] icecast: information leak
rgacogne at archlinux.org
Fri Nov 28 08:54:54 UTC 2014
Arch Linux Security Advisory ASA-201411-32
Date : 2014-11-28
CVE-ID : CVE-2014-9018
Package : icecast
Type : information leak
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE-2014
The package icecast before version 2.4.1-1 is vulnerable to information
Upgrade to 2.4.1-1.
# pacman -Syu "icecast>=2.4.1-1"
The problem has been fixed upstream in version 2.4.1.
Disable on-connect and on-disconnect scripts.
It was reported that Icecast could possibly leak the contents of
on-connect scripts to clients, which may contain sensitive information.
If on-connect/on-disconnect scripts are used, file descriptors of the
server process remain open and could be written to or read from. Most
pressing STDIN, STDOUT, STDERR are handled.
Further all file descriptors up to 1024 are closed. There is a remaining
(much lower) risk in combination of either a malicious or susceptible
script and FDs above 1024.
A remote attacker may be able to extract sensitive information from the
process memory, including but not limited to passwords.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the arch-security