Bug#782120: icecast2: icecast can be remotely killed by anyone if using authentication type=url and stream_auth option
Package: icecast2 Version: 2.4.0-1.1 Severity: important icecast can be killed by anyone with a simple HTTP request when authentication type=url is used and a stream_auth handler is defined. Example configuration: mount mount-name/test/mount-name authentication type=url option name=stream_auth value=http://127.0.0.1/bla/ /authentication /mount (Note: It does not matter where the URL for stream_auth points to, if it is reachable or not. Actually icecast dies before even accessing that URL.) Given the above configuration anyone can now easily kill icecast by this command: wget http://servername:8000/admin/killsource?mount=/test This only happens when making a request WITHOUT login credentials. I'm marking this bug important but it might justify a higher severity. With this security problem the package appears unfit for release. ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#782120: Upstream is aware and working on a fix
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 We became aware minutes after the bug was filed (Thanks Ukikie). We've discussed this with Juliane, reproduced it and are working on a fix and release. Details later today. Thomas Ruecker Icecast maintainer / Xiph.org -BEGIN PGP SIGNATURE- Version: GnuPG v2 iEYEARECAAYFAlUk6MsACgkQfkVKO9VkYGkFEACeOGULWCqTlrQVGgdOy1SWe4Yt V68An0DXaQNVrgB2xQn4XlVBOLs58gfk =Ftrl -END PGP SIGNATURE- ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#781812: [libav-devel] Bug#781812: libav
Hi, Quoting Reinhard Tartler (2015-04-05 02:09:23) Control: forwarded -1 libav-d...@lists.libav.org Hi Mathieu, I would appreciate if in future you could provide a bit more details when reassigning bugs. The quote below was all that I had to start working on this issue, which is terse. My understanding of this we are talking about a curious feature in the MKV container: apparently, you can attach cover art into the container. Libavformat allows applications to access embedded images by providing an extra stream. Please someone correct me, but my understanding of http://git.videolan.org/?p=ffmpeg.git;a=commit;h=511585c is that libavformat implements this inconsistently for different containers. I wonder how did this happen, is there some deeper reason for this inconsistency? Minidlna seems to have stumbled over this inconsistency and seems to work fine with that patch that was discussed with FFmpeg, but not with Libav. This is a bit disappointing, maybe you could forward such clearly upstream bugs yourself to avoid having the package maintainers as extra round-trip? Thanks. I do not use minidlna myself, so I cannot verify this issue myself. However, I've tried to apply the patch that was submitted against FFmpeg, which I have attached to this email. I've also compared the output of avprobe on the suggested test sample https://sourceforge.net/projects/matroska/files/test_files/cover_art.mkv with and without the patch. It seems promising to me, but again, I have no means to verify this issue, so please someone else take over of testing it and getting the patch ready for submission in Libav. Thanks for bringing this up, I've pushed it to master after consulting with the author and fixing a small bug in it. -- Anton Khirnov ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#781812: for later reference
tags -1 fixed-upstream c4d37cd9ef6e374bb888f6273259b10fac5bd909 ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#782129: Support atom Xtra
Package: mp4v2-utils Version: 2.0.0~dfsg0-3 Severity: minor Tags: upstream It would be nice to support atom Xtra. Currenly it dumps as: $ mp4info silence_xtra.m4a mp4info version -r silence_xtra.m4a: Track Type Info 1 audio MPEG-4 AAC LC, 3.707 secs, 3 kbps, 44100 Hz Reference implementation is at: http://code.google.com/p/mp4v2/issues/detail?id=113 ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#782125: Support atom Xtra
Package: gpac Version: 0.5.0+svn5324~dfsg1-1+b3 Severity: minor It would be nice to support atom Xtra. Currenly it dumps as: UDTARecord Type=Xtra UnknownBox BoxInfo Size=206 Type=Xtra/ /UnknownBox Reference implementation is at: http://code.google.com/p/mp4v2/issues/detail?id=113 ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#782120: Upstream has released a fixed version.
We've released 2.4.2, which fixes this and should also address possible other similar issues. http://lists.xiph.org/pipermail/icecast-dev/2015-April/002460.html We're currently waiting for the CVE ID from MITRE. Thanks again to Juliane for bringing this up and discussing further details with us. Thomas B. Rücker Icecast maintainer ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#779968: icecast2: Please package Icecast 2.4.1
This ticket should be for Icecast 2.4.2 now, due to the security issue https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782120 ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Processed: tagging 782120
Processing commands for cont...@bugs.debian.org: tags 782120 + fixed-upstream upstream security Bug #782120 [icecast2] icecast2: icecast can be remotely killed by anyone if using authentication type=url and stream_auth option Added tag(s) upstream, security, and fixed-upstream. thanks Stopping processing here. Please contact me if you need assistance. -- 782120: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782120 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Processed: retitle 782120 to icecast2: icecast can be remotely killed by anyone if using authentication type=url and stream_auth option (CVE-2015-3026)
Processing commands for cont...@bugs.debian.org: retitle 782120 icecast2: icecast can be remotely killed by anyone if using authentication type=url and stream_auth option (CVE-2015-3026) Bug #782120 [icecast2] icecast2: icecast can be remotely killed by anyone if using authentication type=url and stream_auth option Changed Bug title to 'icecast2: icecast can be remotely killed by anyone if using authentication type=url and stream_auth option (CVE-2015-3026)' from 'icecast2: icecast can be remotely killed by anyone if using authentication type=url and stream_auth option' thanks Stopping processing here. Please contact me if you need assistance. -- 782120: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782120 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers