Newline injection in error.log
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Icecast |
Fix Released
|
Unknown
|
|||
Gentoo Linux |
Fix Released
|
Low
|
|||
openSUSE |
Fix Released
|
Low
|
|||
icecast2 (Fedora) |
Fix Released
|
Medium
|
|||
icecast2 (Ubuntu) |
Fix Released
|
Low
|
Zubin Mithra |
Bug Description
Running this command against an icecast2 running on 127.0.0.1...
echo -ne "GET /non-existent"
...causes the following to be written to /var/log/
[2011-11-25 15:37:31] INFO fserve/
[1970-01-01 00:00:00] PHUN I'm feeling phunny
[2011-11-25 15:37:31] WARN fserve/
[1970-01-01 00:00:00] PHUN I'm feeling phunny
[2011-11-25 15:37:31] WARN fserve/
[2011-11-25 15:37:31] WARN fserve/
[1970-01-01 00:00:00] PHUN I'm feeling phunny
[2011-11-25 15:37:31] WARN fserve/
As you can see above, this allows for falsifying the log file, by adding custom messages. Apparently input validation is insufficient and URL encoded newlines (%0d%0a) are expanded to actual newlines in the log file.
ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: icecast2 2.3.2-6ubuntu2
ProcVersionSign
Uname: Linux 3.0.0-13-generic x86_64
ApportVersion: 1.23-0ubuntu4
Architecture: amd64
Date: Fri Nov 25 15:38:59 2011
InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Release amd64 (20101007)
ProcEnviron:
PATH=(custom, no user)
LANG=de_DE.UTF-8
SHELL=/bin/bash
SourcePackage: icecast2
UpgradeStatus: Upgraded to oneiric on 2011-10-21 (35 days ago)
mtime.conffile.
CVE References
visibility: | private → public |
Changed in icecast2 (Ubuntu): | |
status: | New → Confirmed |
Changed in opensuse: | |
importance: | Unknown → Low |
status: | Unknown → Fix Released |
Changed in icecast: | |
status: | Unknown → New |
Changed in gentoo: | |
importance: | Unknown → Low |
Changed in icecast: | |
status: | New → Fix Released |
Changed in gentoo: | |
status: | Unknown → Fix Released |
Changed in icecast2 (Ubuntu): | |
status: | In Progress → Incomplete |
Changed in icecast2 (Ubuntu): | |
status: | Incomplete → Confirmed |
status: | Confirmed → Incomplete |
Changed in icecast2 (Fedora): | |
importance: | Unknown → Medium |
status: | Invalid → Fix Released |
Thank you for using Ubuntu and reporting a bug. Because icecast is in universe and community supported, this issue has been forwarded to upstream and oss-security: www.openwall. com/lists/ oss-security/ 2011/12/ 15/4
http://