Thomas B. Rücker
2018-11-01 16:21:32 UTC
We released a new version of Icecast.
It is a security release and we recommend to update all
Icecast installations of versions below 2.4.4 to it.
-Â Â Fix buffer overflows in URL auth code, [CVE-2018-18820]. [#2342]
   * This security issue affects all Icecast servers running version
2.4.0, 2.4.1, 2.4.2 or 2.4.3 if there is a "mount" definition
that enables URL authentication.
   * A malicious client could send long HTTP headers, leading to
a buffer overflow and potential remote code execution.
   * The problematic code was introduced in version 2.4.0 and
was now brought to our attention by Nick Rolfe of
Semmle Security Research Team https://lgtm.com/security
https://gitlab.xiph.org/xiph/icecast-server/commit/b21a7283bd1598c5af0bbb250a041ba8198f98f2
-Â Â Worked around buffer overflows in URL auth's cURL interface.
   * We currently do not believe that this issue is exploitable.
It would require a malicious URL authentication back end server
 to send a crafted payload and make it through libcURL.
   * If someone manages, please let us know.
https://gitlab.xiph.org/xiph/icecast-server/commit/03ea74c04a5966114c2fe66e4e6892d11a68181e
Source: http://downloads.xiph.org/releases/icecast/icecast-2.4.4.tar.gz
[#2342]: https://gitlab.xiph.org/xiph/icecast-server/issues/2342
Thomas B. Ruecker
Icecast maintainer
PS: Default installations are not affected. This is an advanced feature.
It is a security release and we recommend to update all
Icecast installations of versions below 2.4.4 to it.
-Â Â Fix buffer overflows in URL auth code, [CVE-2018-18820]. [#2342]
   * This security issue affects all Icecast servers running version
2.4.0, 2.4.1, 2.4.2 or 2.4.3 if there is a "mount" definition
that enables URL authentication.
   * A malicious client could send long HTTP headers, leading to
a buffer overflow and potential remote code execution.
   * The problematic code was introduced in version 2.4.0 and
was now brought to our attention by Nick Rolfe of
Semmle Security Research Team https://lgtm.com/security
https://gitlab.xiph.org/xiph/icecast-server/commit/b21a7283bd1598c5af0bbb250a041ba8198f98f2
-Â Â Worked around buffer overflows in URL auth's cURL interface.
   * We currently do not believe that this issue is exploitable.
It would require a malicious URL authentication back end server
 to send a crafted payload and make it through libcURL.
   * If someone manages, please let us know.
https://gitlab.xiph.org/xiph/icecast-server/commit/03ea74c04a5966114c2fe66e4e6892d11a68181e
Source: http://downloads.xiph.org/releases/icecast/icecast-2.4.4.tar.gz
[#2342]: https://gitlab.xiph.org/xiph/icecast-server/issues/2342
Thomas B. Ruecker
Icecast maintainer
PS: Default installations are not affected. This is an advanced feature.