Remote Root exploit in stable icecast-server package

To: <debian-security@lists.debian.org>
Cc: <dmz@debian.org>, <mdorman@debian.org>
Subject: Remote Root exploit in stable icecast-server package
From: "Andrew Tait" <debian@cnl.com.au>
Date: Mon, 26 Nov 2001 14:29:26 +1100
Message-id: <[🔎] 00bd01c1762a$96da56c0$034e15cb@cnl.com.au>
References: <[🔎] 20011125093718.B5847@eye-net.com.au> <[🔎] 20011125091857.A8912@khazad-dum>

Hi All,

I have been considering changing our RealAudio broadcasts (on a NT box) over
to a linux box and have decided to go with a icecast server.

However, I noticed that the stable package is version 1.00. Version 1.3.8b2
and prior have a remote vunerability to execute code as the particular
UID/GID that the icecast-server is running, which, forgive me if I'm wrong,
appears to be root!

I cannot find and security advisories on this matter either!

Can we get the package fixed or at least the stable packeage removed?

The woody package has been fixed, and the server runs as a user "icecast"
instead of root.

Andrew Tait
System Administrator
Country NetLink Pty, Ltd
E-Mail: andrewt@cnl.com.au
WWW: http://www.cnl.com.au
30 Bank St Cobram, VIC 3644, Australia
Ph: +61 (03) 58 711 000
Fax: +61 (03) 58 711 874

"It's the smell! If there is such a thing." Agent Smith - The Matrix

Reply to:

References:
- (How) do we roll-back lprng?
  - From: csmall@eye-net.com.au (Craig Small)
- Re: (How) do we roll-back lprng?
  - From: Henrique de Moraes Holschuh <hmh@debian.org>

Prev by Date: Re: is 3des secure??
Next by Date: Re: is 3des secure??
Previous by thread: Re: (How) do we roll-back lprng?
Next by thread: Printing a RFC on non-US PAPERsize
Index(es):
- Date
- Thread