diff -Nru icecast2-2.3.3/debian/changelog icecast2-2.3.3/debian/changelog --- icecast2-2.3.3/debian/changelog 2014-04-10 14:02:18.000000000 -0400 +++ icecast2-2.3.3/debian/changelog 2015-04-28 17:59:40.000000000 -0400 @@ -1,3 +1,32 @@ +icecast2 (2.3.3-2ubuntu1.1) trusty; urgency=high + + * SECURITY UPDATE: Denial of service vulnerability. + - d/p/0002-crash-in-url-auth: + This fixes a crash (NULL reference) in case URL Auth is used + and stream_auth is trigged with no credentials passed by the client. + Username and password is now set to empty strings and transmited to + the backend server this way. + - CVE-2015-3026 + * SECURITY UPDATE: Potentially leaks sensitive information. + - d/p/0001-disconnects_stdio_of_on_dis_connect_scripts: + Include patchset 19313 (close file handles for external scripts). + - CVE-2014-9018 + * SECURITY UPDATE: Potentially allows local users to gain + privileges via unspecified vectors. + - d/p/0003-override-supplementary-groups: + In case of only UID and GID were changed, + supplementary groups were left in place. + This is a potential security issue only if is used. + New behaviour is to set UID, GID and set supplementary groups + based on the UID. + Even in case of icecast remaining in supplementary group 0 + this "only" gives it things like access to files that are owned + by group 0 and according to their umask. This is obviously bad, + but not as bad as UID 0 with all its other special rights. + - CVE-2014-9091 + + -- Unit 193 Tue, 28 Apr 2015 17:28:20 -0400 + icecast2 (2.3.3-2ubuntu1) trusty; urgency=medium * Merge from Debian unstable. Remaining changes: diff -Nru icecast2-2.3.3/debian/patches/0001-disconnects_stdio_of_on_dis_connect_scripts icecast2-2.3.3/debian/patches/0001-disconnects_stdio_of_on_dis_connect_scripts --- icecast2-2.3.3/debian/patches/0001-disconnects_stdio_of_on_dis_connect_scripts 1969-12-31 19:00:00.000000000 -0500 +++ icecast2-2.3.3/debian/patches/0001-disconnects_stdio_of_on_dis_connect_scripts 2015-04-28 17:55:58.000000000 -0400 @@ -0,0 +1,87 @@ +Description: Icecast before 2.4.1 transmits the output of the on-connect script, which + might allow remote attackers to obtain sensitive information, related to + shared file descriptors. +Source: http://bugs.debian.org/770222 +Bug: http://bugs.debian.org/770222 +CVE: CVE-2014-9018 + +Index: icecast2-2.3.3/src/source.c +=================================================================== +--- icecast2-2.3.3.orig/src/source.c ++++ icecast2-2.3.3/src/source.c +@@ -33,6 +33,12 @@ + #define snprintf _snprintf + #endif + ++#ifndef _WIN32 ++/* for __setup_empty_script_environment() */ ++#include ++#include ++#endif ++ + #include "thread/thread.h" + #include "avl/avl.h" + #include "httpp/httpp.h" +@@ -1277,6 +1283,34 @@ void source_client_callback (client_t *c + + + #ifndef _WIN32 ++/* this sets up the new environment for script execution. ++ * We ignore most failtures as we can not handle them anyway. ++ */ ++static inline void __setup_empty_script_environment(void) { ++ int i; ++ ++ /* close at least the first 1024 handles */ ++ for (i = 0; i < 1024; i++) ++ close(i); ++ ++ /* open null device */ ++ i = open("/dev/null", O_RDWR); ++ if (i != -1) { ++ /* attach null device to stdin, stdout and stderr */ ++ if (i != 0) ++ dup2(i, 0); ++ if (i != 1) ++ dup2(i, 1); ++ if (i != 2) ++ dup2(i, 2); ++ ++ /* close null device */ ++ if (i > 2) ++ close(i); ++ } ++} ++#endif ++ + static void source_run_script (char *command, char *mountpoint) + { + pid_t pid, external_pid; +@@ -1292,10 +1326,15 @@ static void source_run_script (char *com + ERROR2 ("Unable to fork %s (%s)", command, strerror (errno)); + break; + case 0: /* child */ ++ if (access(command, R_OK|X_OK) != 0) { ++ ERROR2 ("Unable to run command %s (%s)", command, strerror(errno)); ++ exit(1); ++ } + DEBUG1 ("Starting command %s", command); +- execl (command, command, mountpoint, (char *)NULL); +- ERROR2 ("Unable to run command %s (%s)", command, strerror (errno)); +- exit(0); ++ __setup_empty_script_environment(); ++ /* consider to add action here as well */ ++ execl(command, command, mountpoint, (char *)NULL); ++ exit(1); + default: /* parent */ + break; + } +@@ -1308,8 +1347,6 @@ static void source_run_script (char *com + break; + } + } +-#endif +- + + static void *source_fallback_file (void *arg) + { diff -Nru icecast2-2.3.3/debian/patches/0002-crash-in-url-auth icecast2-2.3.3/debian/patches/0002-crash-in-url-auth --- icecast2-2.3.3/debian/patches/0002-crash-in-url-auth 1969-12-31 19:00:00.000000000 -0500 +++ icecast2-2.3.3/debian/patches/0002-crash-in-url-auth 2015-04-28 17:57:01.000000000 -0400 @@ -0,0 +1,35 @@ +Description: This fixes a crash (NULL reference) in case URL Auth is used + and stream_auth is trigged with no credentials passed by the client. + Username and password is now set to empty strings and transmited to + the backend server this way. + +Source: http://git.xiph.org/?p=icecast-server.git;a=commitdiff;h=27abfbbd688df3e3077b535997330aa06603250f +CVE: CVE-2015-3026 + +Index: icecast2-2.3.3/src/auth_url.c +=================================================================== +--- icecast2-2.3.3.orig/src/auth_url.c ++++ icecast2-2.3.3/src/auth_url.c +@@ -485,10 +485,20 @@ static void url_stream_auth (auth_client + host = util_url_escape (config->hostname); + port = config->port; + config_release_config (); +- user = util_url_escape (client->username); +- pass = util_url_escape (client->password); + ipaddr = util_url_escape (client->con->ip); + ++ if (client->username) { ++ user = util_url_escape(client->username); ++ } else { ++ user = strdup(""); ++ } ++ ++ if (client->password) { ++ pass = util_url_escape(client->password); ++ } else { ++ pass = strdup(""); ++ } ++ + snprintf (post, sizeof (post), + "action=stream_auth&mount=%s&ip=%s&server=%s&port=%d&user=%s&pass=%s%s", + mount, ipaddr, host, port, user, pass, admin); diff -Nru icecast2-2.3.3/debian/patches/0003-override-supplementary-groups icecast2-2.3.3/debian/patches/0003-override-supplementary-groups --- icecast2-2.3.3/debian/patches/0003-override-supplementary-groups 1969-12-31 19:00:00.000000000 -0500 +++ icecast2-2.3.3/debian/patches/0003-override-supplementary-groups 2015-04-28 17:57:50.000000000 -0400 @@ -0,0 +1,28 @@ +Description: Icecast before 2.4.0 does not change the supplementary group privileges + when is configured, which allows local users to gain + privileges via unspecified vectors. +Source: https://trac.xiph.org/changeset/19137/ +CVE: CVE-2014-9091 + +Index: icecast/trunk/icecast/src/main.c +=================================================================== +--- a/src/main.c ++++ b/src/main.c +@@ -391,12 +391,13 @@ + } + +- if(gid != -1) { ++ if(uid != (uid_t)-1 && gid != (gid_t)-1) { + if(!setgid(gid)) + fprintf(stdout, "Changed groupid to %i.\n", (int)gid); + else + fprintf(stdout, "Error changing groupid: %s.\n", strerror(errno)); +- } +- +- if(uid != -1) { ++ if(!initgroups(conf->user, gid)) ++ fprintf(stdout, "Changed supplementary groups based on user: %s.\n", conf->user); ++ else ++ fprintf(stdout, "Error changing supplementary groups: %s.\n", strerror(errno)); + if(!setuid(uid)) + fprintf(stdout, "Changed userid to %i.\n", (int)uid); diff -Nru icecast2-2.3.3/debian/patches/series icecast2-2.3.3/debian/patches/series --- icecast2-2.3.3/debian/patches/series 2014-04-10 13:58:08.000000000 -0400 +++ icecast2-2.3.3/debian/patches/series 2015-04-28 18:00:07.000000000 -0400 @@ -1,2 +1,5 @@ +0001-disconnects_stdio_of_on_dis_connect_scripts +0002-crash-in-url-auth +0003-override-supplementary-groups 1001_autotools_avoid_debian-subdir.patch 1004_fix_xmlCleanupParser_splatter.patch