New(ish) release 0.6.0 fixing shell command injection vulnerability
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ezstream (Ubuntu) |
Expired
|
Undecided
|
Unassigned |
Bug Description
There has been a release in early 2015 fixing a shell command injection vulnerability.
From http://
"Version 0.6.0 is a security and maintenance release.
This release contains a SECURITY FIX for a command injection vulnerability that was found and reported by Alexandre Rebert:
The previous handling of metadata placeholders allowed for arbitrary shell commands to be trivially injected and executed as the ezstream user, via malicious media files.
This vulnerability depends on both a configuration using metadata placeholders and the user streaming media files from untrusted sources without noticing `commands` or $(commands) in artist or title fields.
While the group of actually affected users may be limited, all users are advised to upgrade.
[...]"
The Ubuntu package's most recent changelog entry (from 0.5.6~dfsg-1 in xenial) is from 2009, so this vulnerability most likely has not been patched either in the existing package.
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https:/ /wiki.ubuntu. com/SecurityTea m/UpdateProcedu res