Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 08 Apr 2015 14:06:20 +0000
From: "Thomas B. Rücker" <>
Subject: Re: CVE Request for Icecast 2.3.3, 2.4.0, 2.4.1, fixed
 in 2.4.2

Hash: SHA1

[resending as it seems Thunderbird/Enigmail breaks my signature]

A new version of Icecast was released, following the discovery of a
remote denial of service vulnerability by Juliane Holzt earlier today.

Affected Icecast versions:
2.3.3(first release with stream_auth)

Fix released in:

We do not release fixes for:
2.3.3: EOL
2.4.0: not necessary, as 2.4.1 was a bugfix release for 2.4.0.

On 04/08/2015 12:52 PM, "Thomas B. Rücker" wrote:
> Today we became aware of a bug in the Icecast code handling source
> client URL-authentication and are releasing a security fix.
> The bug was discovered by Juliane Holzt, who we'd like to thank for
> bringing this to our attention and providing us with further details.
> The bug can only be triggered if "stream_auth" is being used,
> for example:
> <mount>
>   <mount-name>/test.ogg</mount-name>
>   <authentication type="url">
>     <option name="stream_auth" value="http://localhost/auth"/>
>   </authentication>
> </mount>
> This means, that all installations that use a default configuration are
> NOT affected.The default configuration only uses <source-password>.
> Neither are simple mountpoints affected that use <password>.
> A workaround, if installing an updated package is not possible, is to
> disable "stream_auth"and use <password> instead.
> As far as we understand the bug only leads to a simple remote denial of
> service. The underlying issue is a null pointer dereference. For
> clarity: No remote code execution should be possible, server just
> segfaults.
> Proof of concept:
> curl ""
> If the server is configured as above, then it will segfault.A source
> client does not need to be connected to that mount point.
> As Juliane points out: "This only happens when making a request WITHOUT
> login credentials."
> This means, that sadly exploiting this does not require any
> authentication, just the knowledge of a mount point configured with
> stream_auth.
> Original Debian bug report:
> ticket:
> Sources:
> SHA256 aa1ae2fa364454ccec61a9247949d19959cb0ce1b044a79151bf8657fd673f4f
> git-tag: release-2.4.2
> We are requesting a CVE ID through oss-security and I will update the
> ticket once we have received it.

Thanks in advance

Thomas B. Ruecker

Icecast maintainer
Version: GnuPG v1


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.