Bug#1101131: icecast2: DoS vector using incorrect TLS teardown
Package: icecast2
Version: 2.4.4-4+b1
Severity: important
Tags: upstream
Dear Maintainer,
Icecast2 in Debian is affected by this upstream issue with TLS
connections (https://gitlab.xiph.org/xiph/icecast-server/-/issues/2355):
> When in a TLS SOURCE connection the socket is closed without TLS
> teardown Icecast will read from the socket in a tight endless loop.
> This locks up the corresponding thread.
This has been visibly patched in upstream's VCS, in a 2.4.5 branch that
looks like it has not been released yet:
https://gitlab.xiph.org/xiph/icecast-server/-/commit/8662884447efc414e885b20b965f465d37a01fb5
I applied this patch by simply dowloading the txt version from GitLab:
https://gitlab.xiph.org/xiph/icecast-server/-/commit/8662884447efc414e885b20b965f465d37a01fb5.patch
I am currently running a patched version of icecast2 and the problems
seems to be fixed.
A reliable way to reproduce the issue is to enable TLS, create a stream
with BUTT and have at least one listener (e.g. with firefox), then click
the stop button of BUTT. This make icecast use 100% of a CPU while
beeing in a waiting state.
The bug did not happen back yet with the patched version.
Could you please add this patch to the patch series?
--
Nicolas Peugnet
Reply to: