Thomas B. Rücker
2018-11-01 16:21:32 UTC
It is a security release and we recommend to update all
Icecast installations of versions below 2.4.4 to it.
-Â Â Fix buffer overflows in URL auth code, [CVE-2018-18820]. [#2342]
Â Â Â * This security issue affects all Icecast servers running version
2.4.0, 2.4.1, 2.4.2 or 2.4.3 if there is a "mount" definition
that enables URL authentication.
Â Â Â * A malicious client could send long HTTP headers, leading to
a buffer overflow and potential remote code execution.
Â Â Â * The problematic code was introduced in version 2.4.0 and
was now brought to our attention by Nick Rolfe of
Semmle Security Research Team https://lgtm.com/security
-Â Â Worked around buffer overflows in URL auth's cURL interface.
Â Â Â * We currently do not believe that this issue is exploitable.
It would require a malicious URL authentication back end server
Â to send a crafted payload and make it through libcURL.
Â Â Â * If someone manages, please let us know.
Thomas B. Ruecker
PS: Default installations are not affected. This is an advanced feature.