A flaw was found in the client URL authentication handling code: The bug can only be triggered if "stream_auth" is being used, for example: <mount> <mount-name>/test.ogg</mount-name> <authentication type="url"> <option name="stream_auth" value="http://localhost/auth"/> </authentication> </mount> This means, that all installations that use a default configuration are NOT affected. The default configuration only uses <source-password>. Neither are simple mountpoints affected that use <password>. A workaround, if installing an updated package is not possible, is to disable "stream_auth"and use <password> instead. As far as we understand the bug only leads to a simple remote denial of service. The underlying issue is a null pointer dereference. For clarity: No remote code execution should be possible, server just segfaults. Proof of concept: curl "http://example.org:8000/admin/killsource?mount=/test.ogg"; Upstream issue: https://trac.xiph.org/ticket/2191 Upstream announcement: http://lists.xiph.org/pipermail/icecast-dev/2015-April/002460.html Upstream patch: https://trac.xiph.org/changeset/27abfbbd688df3e3077b535997330aa06603250f/icecast-server CVE request: http://seclists.org/oss-sec/2015/q2/77
Created icecast tracking bugs for this issue: Affects: fedora-all [bug 1210199] Affects: epel-all [bug 1210200]
icecast-2.4.2-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.