Newline injection in error.log

Thank you for using Ubuntu and reporting a bug. Because icecast is in universe and community supported, this issue has been forwarded to upstream and oss-security:
http://www.openwall.com/lists/oss-security/2011/12/15/4

This is CVE-2011-4612

Please find attached, a debdiff that patches the issue by trimming at occurances of "\r" or "\n". Tested on lenny. After applying the, you have :-

$ echo -ne "GET /non-existent"'"'"%20No%20such%20file%20or%20directory%0d%0a[1970-01-01%20%2000:00:00]%20PHUN%20I'm%20feeling%20phunny%0d%0a["`date "+%Y-%m-%d%%20%%20%H:%M:%S"`"]%20WARN%20fserve/fserve_client_create%20req%20for%20file%20"'"'"/usr/share/icecast2/web/ HTTP/1.0\n\n" | nc -vv 127.0.0.1 8000 > /dev/null
Connection to 127.0.0.1 8000 port [tcp/*] succeeded!
$ cat /var/log/icecast2/error.log
[2012-02-20 19:32:34] INFO main/main Icecast 2.3.2 server started[2012-02-20 19:32:34] INFO connection/get_ssl_certificate No SSL capability
[2012-02-20 19:32:34] INFO stats/_stats_thread stats thread started
[2012-02-20 19:32:34] INFO yp/yp_update_thread YP update thread started
[2012-02-20 19:32:34] INFO fserve/fserv_thread_function file serving thread started
[2012-02-20 19:33:23] INFO fserve/fserve_client_create checking for file /non-existent" No such file or directory (/usr/share/icecast2/web/non-existent" No such file or directory)
[2012-02-20 19:33:23] WARN fserve/fserve_client_create req for file "/usr/share/icecast2/web/non-existent" No such file or directory" No such file or directory

The attachment "icecast2_2.3.2-5ubuntu2.debdiff" of this bug report has been identified as being a patch in the form of a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

Please find attached a new debdiff which replaces \r and \n with '_', rather than trim the string.

Zubin, thanks for updating your patch. I see a couple of issues with your patch:

  - the filter loop quits when \0 is reached at the end of the existing path, but never writes \0 to the end of the filtered string. Any attempts to read the filtered string will run off the end of the malloc(3)ed memory and read what ever memory contents happen to be adjacent to it. It may cause the daemon to crash if it hits an unmapped page.

  - the result of strlen(3) is used to calculate the amount of memory to malloc(3) for the filtered string, but strlen(3) reports the length of the string not including the trailing \0. So the allocated array will not have enough room for you to write the trailing \0 once you do so.

Please address these issues and test your fix once you've done so to verify that you've addressed the issue, as well as consider submitting your patch to the upstream icecast project; poking around their svn tree(http://www.icecast.org/svn.php) , it appears this issue is still unfixed there as well.

Oh, sorry, a couple of other comments:

 - the icecast2 package uses quilt to manage patches, please add your fix to the series of patches there (the Quilt for Debian Maintainers page http://pkg-perl.alioth.debian.org/howto/quilt.html gives more information on how to do that).
 - maverick (Ubuntu 10.10) has the same version of icecast in it; we'll need to update both at the same time or the maverick version will be less than the version in lucid-updates.
 - with that, the version should be 2.3.2-5ubuntu1.10.04.1 (and 2.3.2-5ubuntu1.10.10.1for maverick-security) not 2.3.2-5ubuntu2; if we weren't updating maverick, the correct version would be 2.3.2-5ubuntu1.1. See https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging on using correct versioning to avoid possible conflicts.

Thanks again.

Hi Steve,

I've corrected the above mentioned issues; please find attached a patch for lucid; I'll attach a patch for maverick and pass it over upstream asap.

Cheers!

Hi,

I've attached the patch for maverick along.

Zubin, thank you for your work on these patches. Unfortunately, they are still being patched directly, rather than using the quilt patches system (notice the debian/patches directory-- your patch should be in this directory). As mentioned, please see http://pkg-perl.alioth.debian.org/howto/quilt.html for more information.

Additionally, the patches do not contain DEP-3 comments. These are required for patch attribution, origin, extended description, bugs, etc. Has this patch been forwarded upstream? Does it come from an upstream commit? Has it been reviewed by upstream? This information should be captured in the DEP-3 comments (see http://dep.debian.net/deps/dep3/ for details).

Unsubscribing ubuntu-security-sponsors for now. Please make these adjustments and resubscribe. Thanks again.

xiph.org have just announced version 2.3.3, which includes a fix for CVE-2011-4612 : http://lists.xiph.org/pipermail/icecast/2012-June/012217.html

Debian has 2.3.3 http://packages.debian.org/source/unstable/icecast2 - how about updating the ubuntu package based on that?

After all the release fixes 3 security issues (out of which probably 2 apply to the default ubuntu package).

We are closing this bug report because it lacks the information we need to investigate the problem, as described in the previous comments. Please reopen it if you can give us the missing information, and don't hesitate to submit bug reports in the future. To reopen the bug report you can click on the current status, under the Status column, and change the Status back to 'New'. Thanks again!

Actually, Ubuntu 13.04 has the fix as part of 2.3.3-1ubuntu1:
icecast2 (2.3.3-1ubuntu1) raring; urgency=low

  * Merge from debian unstable, remaining changes:
    - 1004_fix_xmlCleanupParser_splatter.patch: Make sure that
      xmlCleanupParser() is only called once: on exit. Doing otherwise
      potentially results in Bad Things (e.g., crashes that point
      incorrectly to PulseAudio).

 -- Lorenzo De Liso <email address hidden> Tue, 04 Dec 2012 16:08:48 +0100

icecast2 (2.3.3-1) unstable; urgency=low

  [ upstream ]
  * New upstream bugfix release.
    + Allow the source password to be undefined. This is to avoid
      falling back to a default password which would be a security
      problem. Fixing #1846
    + Applied justdave's patches, fixing #1717 and #1718. HTTPS now with
      better security and support for chained certificates.
    + trunk/icecast/conf/icecast_minimal.xml.in: Updated <alias> to use
      destination="" not dest="". The old dest="" attribute is still
      supported.
    + Added 'admin' and 'location' to default config, thus fixing #1839.
    + Added VCLT playlist support.
    Closes: bug#652663, which fixes CVE-2011-4612.