Icecast 2.4.4 - CVE-2018-18820 - buffer overflow in url-auth
(too old to reply)
Thomas B. Rücker
2018-11-01 16:21:32 UTC
We released a new version of Icecast.
It is a security release and we recommend to update all
Icecast installations of versions below 2.4.4 to it.

-   Fix buffer overflows in URL auth code, [CVE-2018-18820]. [#2342]
    * This security issue affects all Icecast servers running version
2.4.0, 2.4.1, 2.4.2 or 2.4.3 if there is a "mount" definition
that enables URL authentication.
    * A malicious client could send long HTTP headers, leading to
a buffer overflow and potential remote code execution.
    * The problematic code was introduced in version 2.4.0 and
was now brought to our attention by Nick Rolfe of
Semmle Security Research Team https://lgtm.com/security


-   Worked around buffer overflows in URL auth's cURL interface.
    * We currently do not believe that this issue is exploitable.
It would require a malicious URL authentication back end server
 to send a crafted payload and make it through libcURL.
    * If someone manages, please let us know.


Source: http://downloads.xiph.org/releases/icecast/icecast-2.4.4.tar.gz

[#2342]: https://gitlab.xiph.org/xiph/icecast-server/issues/2342

Thomas B. Ruecker
Icecast maintainer

PS: Default installations are not affected. This is an advanced feature.