Bug#691186: unblock: icecast2/2.3.2-9+deb7u2
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Ok to upload to t-p-u with the attached debdiff?
This fixes CVE-2011-4612 / #652663)
unblock icecast2/2.3.2-9+deb7u2
Cheers,
Moritz
diff -Nru icecast2-2.3.2/debian/changelog icecast2-2.3.2/debian/changelog
--- icecast2-2.3.2/debian/changelog 2012-09-14 00:55:08.000000000 +0200
+++ icecast2-2.3.2/debian/changelog 2012-10-22 20:40:33.000000000 +0200
@@ -1,3 +1,9 @@
+icecast2 (2.3.2-9+deb7u2) wheezy; urgency=low
+
+ * CVE-2011-4612 (Closes: #652663)
+
+ -- Moritz Muehlenhoff <jmm@debian.org> Sun, 21 Oct 2012 18:32:47 +0200
+
icecast2 (2.3.2-9+deb7u1) wheezy; urgency=low
* Team upload.
diff -Nru icecast2-2.3.2/debian/patches/1004_CVE-2011-4612.patch icecast2-2.3.2/debian/patches/1004_CVE-2011-4612.patch
--- icecast2-2.3.2/debian/patches/1004_CVE-2011-4612.patch 1970-01-01 01:00:00.000000000 +0100
+++ icecast2-2.3.2/debian/patches/1004_CVE-2011-4612.patch 2012-10-22 20:43:21.000000000 +0200
@@ -0,0 +1,227 @@
+diff -aur icecast2-2.3.2.orig/src/format_mp3.c icecast2-2.3.2/src/format_mp3.c
+--- icecast2-2.3.2.orig/src/format_mp3.c 2007-10-19 05:02:35.000000000 +0200
++++ icecast2-2.3.2/src/format_mp3.c 2012-10-22 20:37:31.000000000 +0200
+@@ -595,7 +595,7 @@
+ memcpy (meta->data, source_mp3->build_metadata,
+ source_mp3->build_metadata_len);
+
+- DEBUG1("shoutcast metadata %.4080s", meta->data+1);
++ DEBUG2("shoutcast metadata %.*s", 4080, meta->data+1);
+ if (strncmp (meta->data+1, "StreamTitle=", 12) == 0)
+ {
+ filter_shoutcast_metadata (source, source_mp3->build_metadata,
+diff -aur icecast2-2.3.2.orig/src/fserve.c icecast2-2.3.2/src/fserve.c
+--- icecast2-2.3.2.orig/src/fserve.c 2008-04-29 06:32:10.000000000 +0200
++++ icecast2-2.3.2/src/fserve.c 2012-10-22 20:37:31.000000000 +0200
+@@ -397,7 +397,7 @@
+ FILE *file;
+
+ fullpath = util_get_path_from_normalised_uri (path);
+- INFO2 ("checking for file %s (%s)", path, fullpath);
++ INFO2 ("checking for file %H (%H)", path, fullpath);
+
+ if (strcmp (util_get_extension (fullpath), "m3u") == 0)
+ m3u_requested = 1;
+@@ -411,7 +411,7 @@
+ /* the m3u can be generated, but send an m3u file if available */
+ if (m3u_requested == 0 && xspf_requested == 0)
+ {
+- WARN2 ("req for file \"%s\" %s", fullpath, strerror (errno));
++ WARN2 ("req for file \"%H\" %s", fullpath, strerror (errno));
+ client_send_404 (httpclient, "The file you requested could not be found");
+ free (fullpath);
+ return -1;
+@@ -482,7 +482,7 @@
+ config = config_get_config();
+ if (config->fileserve == 0)
+ {
+- DEBUG1 ("on demand file \"%s\" refused", fullpath);
++ DEBUG1 ("on demand file \"%H\" refused", fullpath);
+ client_send_404 (httpclient, "The file you requested could not be found");
+ config_release_config();
+ free (fullpath);
+@@ -493,7 +493,7 @@
+ if (S_ISREG (file_buf.st_mode) == 0)
+ {
+ client_send_404 (httpclient, "The file you requested could not be found");
+- WARN1 ("found requested file but there is no handler for it: %s", fullpath);
++ WARN1 ("found requested file but there is no handler for it: %H", fullpath);
+ free (fullpath);
+ return -1;
+ }
+@@ -501,7 +501,7 @@
+ file = fopen (fullpath, "rb");
+ if (file == NULL)
+ {
+- WARN1 ("Problem accessing file \"%s\"", fullpath);
++ WARN1 ("Problem accessing file \"%H\"", fullpath);
+ client_send_404 (httpclient, "File not readable");
+ free (fullpath);
+ return -1;
+diff -aur icecast2-2.3.2.orig/src/log/log.c icecast2-2.3.2/src/log/log.c
+--- icecast2-2.3.2.orig/src/log/log.c 2008-01-24 04:10:20.000000000 +0100
++++ icecast2-2.3.2/src/log/log.c 2012-10-22 20:37:31.000000000 +0200
+@@ -420,11 +420,132 @@
+ _unlock_logger ();
+ }
+
++static void __vsnprintf(char *str, size_t size, const char *format, va_list ap) {
++ int in_block = 0;
++ int block_size = 0;
++ int block_len;
++ const char * arg;
++ char buf[80];
++
++ for (; *format && size; format++)
++ {
++ if ( !in_block )
++ {
++ if ( *format == '%' ) {
++ in_block = 1;
++ block_size = 0;
++ block_len = 0;
++ }
++ else
++ {
++ *(str++) = *format;
++ size--;
++ }
++ }
++ else
++ {
++ // TODO: %l*[sdupi] as well as %.4080s and "%.*s
++ arg = NULL;
++ switch (*format)
++ {
++ case 'l':
++ block_size++;
++ break;
++ case '.':
++ // just ignore '.'. If somebody cares: fix it.
++ break;
++ case '*':
++ block_len = va_arg(ap, int);
++ break;
++ case '1':
++ case '2':
++ case '3':
++ case '4':
++ case '5':
++ case '6':
++ case '7':
++ case '8':
++ case '9':
++ block_len = atoi(format);
++ for (; *format >= '0' && *format <= '9'; format++);
++ break;
++ case 'p':
++ snprintf(buf, sizeof(buf), "%p", (void*)va_arg(ap, void *));
++ arg = buf;
++ case 'd':
++ case 'i':
++ case 'u':
++ if (!arg)
++ {
++ switch (block_size)
++ {
++ case 0:
++ if (*format == 'u')
++ snprintf(buf, sizeof(buf), "%u", (unsigned int)va_arg(ap, unsigned int));
++ else
++ snprintf(buf, sizeof(buf), "%i", (int)va_arg(ap, int));
++ break;
++ case 1:
++ if (*format == 'u')
++ snprintf(buf, sizeof(buf), "%lu", (unsigned long int)va_arg(ap, unsigned long int));
++ else
++ snprintf(buf, sizeof(buf), "%li", (long int)va_arg(ap, long int));
++ break;
++ case 2:
++ if (*format == 'u')
++ snprintf(buf, sizeof(buf), "%llu", (unsigned long long int)va_arg(ap, unsigned long long int));
++ else
++ snprintf(buf, sizeof(buf), "%lli", (long long int)va_arg(ap, long long int));
++ break;
++ default:
++ snprintf(buf, sizeof(buf), "<<<invalid>>>");
++ break;
++ }
++ arg = buf;
++ }
++ case 's':
++ case 'H':
++ // TODO.
++ if (!arg)
++ arg = va_arg(ap, const char *);
++ if (!arg)
++ arg = "(null)";
++ if (!block_len)
++ block_len = strlen(arg);
++
++ // the if() is the outer structure so the inner for()
++ // is branch optimized.
++ if (*format == 'H' )
++ {
++ for (; *arg && block_len && size; arg++, size--)
++ {
++ if (*arg <= '"')
++ *(str++) = '.';
++ else
++ *(str++) = *arg;
++ }
++ }
++ else
++ {
++ for (; *arg && block_len && size; arg++, size--)
++ *(str++) = *arg;
++ }
++ in_block = 0;
++ break;
++ }
++ }
++ }
++
++ if ( !size )
++ str--;
++
++ *str = 0;
++}
+
+ void log_write(int log_id, unsigned priority, const char *cat, const char *func,
+ const char *fmt, ...)
+ {
+- static char *prior[] = { "EROR", "WARN", "INFO", "DBUG" };
++ static const char *prior[] = { "EROR", "WARN", "INFO", "DBUG" };
+ int datelen;
+ time_t now;
+ char pre[256];
+@@ -435,16 +556,16 @@
+ if (loglist[log_id].level < priority) return;
+ if (priority > sizeof(prior)/sizeof(prior[0])) return; /* Bad priority */
+
++
+ va_start(ap, fmt);
+- vsnprintf(line, LOG_MAXLINELEN, fmt, ap);
++ __vsnprintf(line, sizeof(line), fmt, ap);
++ va_end(ap);
+
+ now = time(NULL);
+-
+- _lock_logger();
+ datelen = strftime (pre, sizeof (pre), "[%Y-%m-%d %H:%M:%S]", localtime(&now));
+-
+ snprintf (pre+datelen, sizeof (pre)-datelen, " %s %s%s ", prior [priority-1], cat, func);
+
++ _lock_logger();
+ if (_log_open (log_id))
+ {
+ int len = create_log_entry (log_id, pre, line);
+@@ -452,8 +573,6 @@
+ loglist[log_id].size += len;
+ }
+ _unlock_logger();
+-
+- va_end(ap);
+ }
+
+ void log_write_direct(int log_id, const char *fmt, ...)
diff -Nru icecast2-2.3.2/debian/patches/series icecast2-2.3.2/debian/patches/series
--- icecast2-2.3.2/debian/patches/series 2012-09-14 00:55:08.000000000 +0200
+++ icecast2-2.3.2/debian/patches/series 2012-10-22 20:40:50.000000000 +0200
@@ -1,3 +1,4 @@
1001_autotools_avoid_debian-subdir.patch
1002_add_missing_xspf_file
1003_fix_memory_leak.patch
+1004_CVE-2011-4612.patch
\ Kein Zeilenumbruch am Dateiende.
Reply to: