[Bug 894782] Re: Newline injection in error.log
Launchpad has imported 4 comments from the remote bug at https://bugzilla.redhat.com/show_bug.cgi?id=768157. If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. On 2011-12-15T21:53:42+00:00 Kurt wrote: A security bug was reported by Moritz Naumann against icecast in Ubuntu. You are being emailed as the upstream contact. Please keep oss-secur...@lists.openwall.com[1] CC'd for any updates on this issue. This issue should be considered public and has not yet been assigned a CVE. Details from the public bug follow: https://launchpad.net/bugs/894782 >From the reporter: "Newline injection in error.log Running this command against an icecast2 running on 127.0.0.1... echo -ne "GET /non-existent"'"'"%20No%20such%20file%20or%20directory%0d% 0a[1970-01-01%20%2000:00:00]%20PHUN%20I'm%20feeling%20phunny%0d% 0a["`date "+%Y-%m-%d%%20%%20%H:%M:%S"`"]%20WARN% 20fserve/fserve_client_create%20req%20for%20file% 20"'"'"/usr/share/icecast2/web/ HTTP/1.0\n\n" | nc -vv 127.0.0.1 8000 > /dev/null ...causes the following to be written to /var/log/icecast2/error.log: [2011-11-25 15:37:31] INFO fserve/fserve_client_create checking for file /non-existent" No such file or directory [1970-01-01 00:00:00] PHUN I'm feeling phunny ..." Thanks in advance for your cooperation in coordinating a fix for this issue. [1] oss-secur...@lists.openwall.com is a public mailing list for people to collaborate on security vulnerabilities and coordinate security updates. -- Jamie Strandboge | http://www.canonical.com Reply at: https://bugs.launchpad.net/ubuntu/+source/icecast2/+bug/894782/comments/6 On 2011-12-15T22:44:51+00:00 Vincent wrote: Created icecast tracking bugs for this issue Affects: fedora-all [bug 768175] Affects: epel-5 [bug 768176] Reply at: https://bugs.launchpad.net/ubuntu/+source/icecast2/+bug/894782/comments/7 On 2012-06-15T18:24:56+00:00 Vincent wrote: This is corrected in upstream 2.3.3 version (released June 11th): http://www.icecast.org/ Reply at: https://bugs.launchpad.net/ubuntu/+source/icecast2/+bug/894782/comments/25 On 2014-02-11T05:45:08+00:00 Murray wrote: https://bugzilla.novell.com/show_bug.cgi?id=862096 notes the icecast-2.3.2-CVE-2011-4612.diff introdces a use-after-free flaw and should be removed (since the issue was fixed upstream). I could not find this patch in Fedora or EPEL 6. EPEL 6 is missing from the trackers here ... but it seems to have the fixed version now, so I will not file one. Reply at: https://bugs.launchpad.net/ubuntu/+source/icecast2/+bug/894782/comments/42 ** Changed in: icecast2 (Fedora) Status: Invalid => Fix Released ** Changed in: icecast2 (Fedora) Importance: Unknown => Medium ** Bug watch added: Novell/SUSE Bugzilla #862096 https://bugzilla.novell.com/show_bug.cgi?id=862096 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/894782 Title: Newline injection in error.log To manage notifications about this bug go to: https://bugs.launchpad.net/icecast/+bug/894782/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 894782] Re: Newline injection in error.log
Actually, Ubuntu 13.04 has the fix as part of 2.3.3-1ubuntu1: icecast2 (2.3.3-1ubuntu1) raring; urgency=low * Merge from debian unstable, remaining changes: - 1004_fix_xmlCleanupParser_splatter.patch: Make sure that xmlCleanupParser() is only called once: on exit. Doing otherwise potentially results in Bad Things (e.g., crashes that point incorrectly to PulseAudio). -- Lorenzo De Liso Tue, 04 Dec 2012 16:08:48 +0100 icecast2 (2.3.3-1) unstable; urgency=low [ upstream ] * New upstream bugfix release. + Allow the source password to be undefined. This is to avoid falling back to a default password which would be a security problem. Fixing #1846 + Applied justdave's patches, fixing #1717 and #1718. HTTPS now with better security and support for chained certificates. + trunk/icecast/conf/icecast_minimal.xml.in: Updated to use destination="" not dest="". The old dest="" attribute is still supported. + Added 'admin' and 'location' to default config, thus fixing #1839. + Added VCLT playlist support. Closes: bug#652663, which fixes CVE-2011-4612. ** Changed in: icecast2 (Ubuntu) Status: Invalid => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/894782 Title: Newline injection in error.log To manage notifications about this bug go to: https://bugs.launchpad.net/icecast/+bug/894782/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 894782] Re: Newline injection in error.log
We are closing this bug report because it lacks the information we need to investigate the problem, as described in the previous comments. Please reopen it if you can give us the missing information, and don't hesitate to submit bug reports in the future. To reopen the bug report you can click on the current status, under the Status column, and change the Status back to 'New'. Thanks again! ** Changed in: icecast2 (Ubuntu) Status: Incomplete => Invalid ** Changed in: icecast2 (Fedora) Status: Unknown => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/894782 Title: Newline injection in error.log To manage notifications about this bug go to: https://bugs.launchpad.net/icecast/+bug/894782/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 894782]
CVE-2011-4612 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4612): icecast before 2.3.3 allows remote attackers to inject control characters such as newlines into the error loc (error.log) via a crafted URL. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/894782 Title: Newline injection in error.log To manage notifications about this bug go to: https://bugs.launchpad.net/icecast/+bug/894782/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 894782] Re: Newline injection in error.log
Debian has 2.3.3 http://packages.debian.org/source/unstable/icecast2 - how about updating the ubuntu package based on that? After all the release fixes 3 security issues (out of which probably 2 apply to the default ubuntu package). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/894782 Title: Newline injection in error.log To manage notifications about this bug go to: https://bugs.launchpad.net/icecast/+bug/894782/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 894782] Re: Newline injection in error.log
** Changed in: icecast2 (Ubuntu) Status: In Progress => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/894782 Title: Newline injection in error.log To manage notifications about this bug go to: https://bugs.launchpad.net/icecast/+bug/894782/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 894782] Re: Newline injection in error.log
** Changed in: gentoo Status: Unknown => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/894782 Title: Newline injection in error.log To manage notifications about this bug go to: https://bugs.launchpad.net/icecast/+bug/894782/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 894782]
Thanks, folks. GLSA Vote: No, tool, closing. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/894782 Title: Newline injection in error.log To manage notifications about this bug go to: https://bugs.launchpad.net/icecast/+bug/894782/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 894782]
Thanks, everyone. GLSA vote: no. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/894782 Title: Newline injection in error.log To manage notifications about this bug go to: https://bugs.launchpad.net/icecast/+bug/894782/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 894782]
+ 18 Sep 2012; Kacper Kowalik icecast-2.3.3.ebuild: + ppc64 stable wrt #394847, add missing inherit of user.eclass and explicit + RDEPEND ppc64 stable, last arch done -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/894782 Title: Newline injection in error.log To manage notifications about this bug go to: https://bugs.launchpad.net/icecast/+bug/894782/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 894782]
alpha/sparc keywords dropped -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/894782 Title: Newline injection in error.log To manage notifications about this bug go to: https://bugs.launchpad.net/icecast/+bug/894782/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 894782] Re: Newline injection in error.log
** Changed in: icecast Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/894782 Title: Newline injection in error.log To manage notifications about this bug go to: https://bugs.launchpad.net/icecast/+bug/894782/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 894782]
amd64 done -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/894782 Title: Newline injection in error.log To manage notifications about this bug go to: https://bugs.launchpad.net/icecast/+bug/894782/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 894782]
ppc done -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/894782 Title: Newline injection in error.log To manage notifications about this bug go to: https://bugs.launchpad.net/icecast/+bug/894782/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 894782]
I stumbled upon bug 430434. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/894782 Title: Newline injection in error.log To manage notifications about this bug go to: https://bugs.launchpad.net/icecast/+bug/894782/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 894782]
x86 done, thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/894782 Title: Newline injection in error.log To manage notifications about this bug go to: https://bugs.launchpad.net/icecast/+bug/894782/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 894782]
(In reply to comment #5) > 2.3.3 now in portage. I can only do a limited testing on my webserver so > please give it a try (or please ATs, test as much as you can) before marking > it stable. Thanks, Markos. Arches, please test and mark stable: =net-misc/icecast-2.3.3 Target KEYWORDS: "alpha amd64 ppc ppc64 sparc x86" -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/894782 Title: Newline injection in error.log To manage notifications about this bug go to: https://bugs.launchpad.net/icecast/+bug/894782/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 894782]
2.3.3 now in portage. I can only do a limited testing on my webserver so please give it a try (or please ATs, test as much as you can) before marking it stable. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/894782 Title: Newline injection in error.log To manage notifications about this bug go to: https://bugs.launchpad.net/icecast/+bug/894782/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 894782] Re: Newline injection in error.log
Launchpad has imported 5 comments from the remote bug at https://bugs.gentoo.org/show_bug.cgi?id=394847. If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. On 2011-12-15T19:08:02+00:00 Petr Písař wrote: Jamie Strandboge reported to icecast developers (CCing ) about possibility to inject fake message into icecast error log by specially crafted HTTP request sent to icecast server port discovered by Moritz Naumann: "Newline injection in error.log Running this command against an icecast2 running on 127.0.0.1... echo -ne "GET /non-existent"'"'"%20No%20such%20file%20or%20directory%0d% 0a[1970-01-01%20%2000:00:00]%20PHUN%20I'm%20feeling%20phunny%0d% 0a["`date "+%Y-%m-%d%%20%%20%H:%M:%S"`"]%20WARN% 20fserve/fserve_client_create%20req%20for%20file% 20"'"'"/usr/share/icecast2/web/ HTTP/1.0\n\n" | nc -vv 127.0.0.1 8000 > /dev/null ...causes the following to be written to /var/log/icecast2/error.log: [2011-11-25 15:37:31] INFO fserve/fserve_client_create checking for file /non-existent" No such file or directory [1970-01-01 00:00:00] PHUN I'm feeling phunny ..." Source: http://thread.gmane.org/gmane.comp.audio.icecast.devel/1815 Upstream responded fixing 2.3.3 version would be released soon. Reply at: https://bugs.launchpad.net/icecast/+bug/894782/comments/3 On 2011-12-15T20:54:20+00:00 Underling wrote: Thanks for the bug, Petr. Reply at: https://bugs.launchpad.net/icecast/+bug/894782/comments/4 On 2011-12-15T22:45:24+00:00 N0idx80 wrote: I was able to reproduce the fake log file with the same info as referenced here: https://bugs.launchpad.net/ubuntu/+source/icecast2/+bug/894782 netcat must be installed of course Reply at: https://bugs.launchpad.net/icecast/+bug/894782/comments/6 On 2012-07-10T10:24:22+00:00 Barzog wrote: Any news? Because 2.3.3 is released. Reply at: https://bugs.launchpad.net/icecast/+bug/894782/comments/23 On 2012-07-10T16:58:54+00:00 Petr Písař wrote: The 2.3.3 fixes this issue: r18355 | dm8tbr | 2012-06-07 17:57:11 +0200 (Čt, 07 čen 2012) | 3 lines This is part of the patch-set addressing CVE-2011-4612. Reply at: https://bugs.launchpad.net/icecast/+bug/894782/comments/24 ** Changed in: gentoo Importance: Unknown => Low -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/894782 Title: Newline injection in error.log To manage notifications about this bug go to: https://bugs.launchpad.net/icecast/+bug/894782/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 894782] Re: Newline injection in error.log
** Changed in: icecast Status: Unknown => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/894782 Title: Newline injection in error.log To manage notifications about this bug go to: https://bugs.launchpad.net/icecast/+bug/894782/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 894782] Re: Newline injection in error.log
Launchpad has imported 7 comments from the remote bug at https://bugzilla.novell.com/show_bug.cgi?id=737255. If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. On 2011-12-16T08:19:09+00:00 Lnussel-k wrote: Your friendly security team received the following report via oss-security. Please respond ASAP. The issue is public. CVE-2011-4612 It was found that remote users could inject newlines in the error.log of icecast, therefore forging log entries Citing https://launchpad.net/bugs/894782: Running this command against an icecast2 running on 127.0.0.1... echo -ne "GET /non-existent"'"'"%20No%20such%20file%20or%20directory%0d% 0a[1970-01-01%20%2000:00:00]%20PHUN%20I'm%20feeling%20phunny%0d% 0a["`date "+%Y-%m-%d%%20%%20%H:%M:%S"`"]%20WARN% 20fserve/fserve_client_create%20req%20for%20file% 20"'"'"/usr/share/icecast2/web/ HTTP/1.0\n\n" | nc -vv 127.0.0.1 8000 > /dev/null ...causes the following to be written to /var/log/icecast2/error.log: [2011-11-25 15:37:31] INFO fserve/fserve_client_create checking for file /non-existent" No such file or directory [1970-01-01 00:00:00] PHUN I'm feeling phunny ..." Reply at: https://bugs.launchpad.net/icecast/+bug/894782/comments/4 On 2011-12-16T23:00:12+00:00 Swamp-a wrote: bugbot adjusting priority Reply at: https://bugs.launchpad.net/icecast/+bug/894782/comments/5 On 2012-03-06T11:46:19+00:00 Tiwai-r wrote: The fixed packages for 11.4, 12.1 and FACTORY are submitted via SRID 108146, 108145 and 108151, respectively. Reply at: https://bugs.launchpad.net/icecast/+bug/894782/comments/14 On 2012-03-06T12:00:15+00:00 Bwiedemann wrote: This is an autogenerated message for OBS integration: This bug (737255) was mentioned in https://build.opensuse.org/request/show/108145 12.1 / icecast https://build.opensuse.org/request/show/108146 11.4 / icecast https://build.opensuse.org/request/show/108151 Factory / icecast Reply at: https://bugs.launchpad.net/icecast/+bug/894782/comments/15 On 2012-03-06T14:14:23+00:00 Swamp-a wrote: The SWAMPID for this issue is 45905. This issue was rated as low. Please submit fixed packages until 2012-04-03. When done, please reassign the bug to security-t...@suse.de. Patchinfo will be handled by security team. Reply at: https://bugs.launchpad.net/icecast/+bug/894782/comments/16 On 2012-03-08T11:08:19+00:00 Swamp-a wrote: Update released for: icecast, icecast-debuginfo, icecast-debugsource Products: openSUSE 11.4 (debug, i586, x86_64) Reply at: https://bugs.launchpad.net/icecast/+bug/894782/comments/17 On 2012-03-09T10:49:47+00:00 Lnussel-k wrote: all released Reply at: https://bugs.launchpad.net/icecast/+bug/894782/comments/18 ** Changed in: opensuse Status: Unknown => Fix Released ** Changed in: opensuse Importance: Unknown => Low -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/894782 Title: Newline injection in error.log To manage notifications about this bug go to: https://bugs.launchpad.net/icecast/+bug/894782/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 894782] Re: Newline injection in error.log
** Bug watch added: Novell/SUSE Bugzilla #737255 https://bugzilla.novell.com/show_bug.cgi?id=737255 ** Also affects: opensuse via https://bugzilla.novell.com/show_bug.cgi?id=737255 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/894782 Title: Newline injection in error.log To manage notifications about this bug go to: https://bugs.launchpad.net/icecast/+bug/894782/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 894782] Re: Newline injection in error.log
** Bug watch added: Gentoo Bugzilla #394847 http://bugs.gentoo.org/show_bug.cgi?id=394847 ** Also affects: gentoo via http://bugs.gentoo.org/show_bug.cgi?id=394847 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/894782 Title: Newline injection in error.log To manage notifications about this bug go to: https://bugs.launchpad.net/icecast/+bug/894782/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 894782] Re: Newline injection in error.log
xiph.org have just announced version 2.3.3, which includes a fix for CVE-2011-4612 : http://lists.xiph.org/pipermail/icecast/2012-June/012217.html ** Bug watch added: Debian Bug tracker #652663 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652663 ** Also affects: icecast via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652663 Importance: Unknown Status: Unknown ** Bug watch added: Red Hat Bugzilla #768157 https://bugzilla.redhat.com/show_bug.cgi?id=768157 ** Also affects: icecast2 (Fedora) via https://bugzilla.redhat.com/show_bug.cgi?id=768157 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/894782 Title: Newline injection in error.log To manage notifications about this bug go to: https://bugs.launchpad.net/icecast/+bug/894782/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 894782] Re: Newline injection in error.log
Zubin, thank you for your work on these patches. Unfortunately, they are still being patched directly, rather than using the quilt patches system (notice the debian/patches directory-- your patch should be in this directory). As mentioned, please see http://pkg- perl.alioth.debian.org/howto/quilt.html for more information. Additionally, the patches do not contain DEP-3 comments. These are required for patch attribution, origin, extended description, bugs, etc. Has this patch been forwarded upstream? Does it come from an upstream commit? Has it been reviewed by upstream? This information should be captured in the DEP-3 comments (see http://dep.debian.net/deps/dep3/ for details). Unsubscribing ubuntu-security-sponsors for now. Please make these adjustments and resubscribe. Thanks again. ** Changed in: icecast2 (Ubuntu) Status: Confirmed => In Progress ** Changed in: icecast2 (Ubuntu) Assignee: (unassigned) => Zubin Mithra (zubin-mithra) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/894782 Title: Newline injection in error.log To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/icecast2/+bug/894782/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 894782] Re: Newline injection in error.log
Hi, I've attached the patch for maverick along. ** Patch added: "icecast2_2.3.2-5ubuntu1.10.10.1.debdiff" https://bugs.launchpad.net/ubuntu/+source/icecast2/+bug/894782/+attachment/2787444/+files/icecast2_2.3.2-5ubuntu1.10.10.1.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/894782 Title: Newline injection in error.log To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/icecast2/+bug/894782/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 894782] Re: Newline injection in error.log
Hi Steve, I've corrected the above mentioned issues; please find attached a patch for lucid; I'll attach a patch for maverick and pass it over upstream asap. Cheers! ** Patch added: "icecast2_2.3.2-5ubuntu1.10.04.1.debdiff" https://bugs.launchpad.net/ubuntu/+source/icecast2/+bug/894782/+attachment/2787241/+files/icecast2_2.3.2-5ubuntu1.10.04.1.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/894782 Title: Newline injection in error.log To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/icecast2/+bug/894782/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 894782] Re: Newline injection in error.log
Zubin, thanks for updating your patch. I see a couple of issues with your patch: - the filter loop quits when \0 is reached at the end of the existing path, but never writes \0 to the end of the filtered string. Any attempts to read the filtered string will run off the end of the malloc(3)ed memory and read what ever memory contents happen to be adjacent to it. It may cause the daemon to crash if it hits an unmapped page. - the result of strlen(3) is used to calculate the amount of memory to malloc(3) for the filtered string, but strlen(3) reports the length of the string not including the trailing \0. So the allocated array will not have enough room for you to write the trailing \0 once you do so. Please address these issues and test your fix once you've done so to verify that you've addressed the issue, as well as consider submitting your patch to the upstream icecast project; poking around their svn tree(http://www.icecast.org/svn.php) , it appears this issue is still unfixed there as well. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/894782 Title: Newline injection in error.log To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/icecast2/+bug/894782/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 894782] Re: Newline injection in error.log
Oh, sorry, a couple of other comments: - the icecast2 package uses quilt to manage patches, please add your fix to the series of patches there (the Quilt for Debian Maintainers page http://pkg-perl.alioth.debian.org/howto/quilt.html gives more information on how to do that). - maverick (Ubuntu 10.10) has the same version of icecast in it; we'll need to update both at the same time or the maverick version will be less than the version in lucid-updates. - with that, the version should be 2.3.2-5ubuntu1.10.04.1 (and 2.3.2-5ubuntu1.10.10.1for maverick-security) not 2.3.2-5ubuntu2; if we weren't updating maverick, the correct version would be 2.3.2-5ubuntu1.1. See https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging on using correct versioning to avoid possible conflicts. Thanks again. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/894782 Title: Newline injection in error.log To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/icecast2/+bug/894782/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 894782] Re: Newline injection in error.log
Please find attached a new debdiff which replaces \r and \n with '_', rather than trim the string. ** Patch added: "icecast2_2.3.2-5ubuntu2.debdiff" https://bugs.launchpad.net/ubuntu/+source/icecast2/+bug/894782/+attachment/2767108/+files/icecast2_2.3.2-5ubuntu2.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/894782 Title: Newline injection in error.log To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/icecast2/+bug/894782/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 894782] Re: Newline injection in error.log
The attachment "icecast2_2.3.2-5ubuntu2.debdiff" of this bug report has been identified as being a patch in the form of a debdiff. The ubuntu- sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu- sponsors team please also unsubscribe the team from this bug report. [This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.] ** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/894782 Title: Newline injection in error.log To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/icecast2/+bug/894782/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 894782] Re: Newline injection in error.log
Please find attached, a debdiff that patches the issue by trimming at occurances of "\r" or "\n". Tested on lenny. After applying the, you have :- $ echo -ne "GET /non-existent"'"'"%20No%20such%20file%20or%20directory%0d%0a[1970-01-01%20%2000:00:00]%20PHUN%20I'm%20feeling%20phunny%0d%0a["`date "+%Y-%m-%d%%20%%20%H:%M:%S"`"]%20WARN%20fserve/fserve_client_create%20req%20for%20file%20"'"'"/usr/share/icecast2/web/ HTTP/1.0\n\n" | nc -vv 127.0.0.1 8000 > /dev/null Connection to 127.0.0.1 8000 port [tcp/*] succeeded! $ cat /var/log/icecast2/error.log [2012-02-20 19:32:34] INFO main/main Icecast 2.3.2 server started[2012-02-20 19:32:34] INFO connection/get_ssl_certificate No SSL capability [2012-02-20 19:32:34] INFO stats/_stats_thread stats thread started [2012-02-20 19:32:34] INFO yp/yp_update_thread YP update thread started [2012-02-20 19:32:34] INFO fserve/fserv_thread_function file serving thread started [2012-02-20 19:33:23] INFO fserve/fserve_client_create checking for file /non-existent" No such file or directory (/usr/share/icecast2/web/non-existent" No such file or directory) [2012-02-20 19:33:23] WARN fserve/fserve_client_create req for file "/usr/share/icecast2/web/non-existent" No such file or directory" No such file or directory ** Patch added: "icecast2_2.3.2-5ubuntu2.debdiff" https://bugs.launchpad.net/ubuntu/+source/icecast2/+bug/894782/+attachment/2762593/+files/icecast2_2.3.2-5ubuntu2.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/894782 Title: Newline injection in error.log To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/icecast2/+bug/894782/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 894782] Re: Newline injection in error.log
This is CVE-2011-4612 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2011-4612 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/894782 Title: Newline injection in error.log To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/icecast2/+bug/894782/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 894782] Re: Newline injection in error.log
Thank you for using Ubuntu and reporting a bug. Because icecast is in universe and community supported, this issue has been forwarded to upstream and oss-security: http://www.openwall.com/lists/oss-security/2011/12/15/4 ** Changed in: icecast2 (Ubuntu) Importance: Undecided => Low -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/894782 Title: Newline injection in error.log To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/icecast2/+bug/894782/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 894782] Re: Newline injection in error.log
** Visibility changed to: Public ** Changed in: icecast2 (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/894782 Title: Newline injection in error.log To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/icecast2/+bug/894782/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
