Hello community, here is the log from the commit of package icecast for openSUSE:Factory checked in at 2013-06-05 17:42:28 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/icecast (Old) and /work/SRC/openSUSE:Factory/.icecast.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "icecast" Changes: -------- --- /work/SRC/openSUSE:Factory/icecast/icecast.changes 2013-03-08 09:13:16.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.icecast.new/icecast.changes 2013-06-05 17:42:30.000000000 +0200 @@ -1,0 +2,48 @@ +Wed Jun 5 00:10:46 UTC 2013 - [email protected] + +- update to 2.3.3: + * security: + + Improved HTTPS cipher handling and added support for chained certificates. + + Allow the source password to be undefined. There was a corner case, where + a default password would have taken effect. It would require the admin to + remove the 'source-password' from the icecast config to take effect. Default + configs ship with the password set, so this vulnerability doesn't trigger + there. + + Prevent error log injection of control characters by substituting + non-alphanumeric characters with a '.' (CVE-2011-4612). Injection attempts + can be identified via access.log, as that stores URL encoded requests. + Investigation if further logging code needs to have sanitized output is + ongoing. + + * bugfixes: + + On-demand relaying - Reject listeners while reconnecting. Fix stats for + relays without mount section. + + Prevent too frequent YP updates. + + Only allow raw metadata updates from same IP as connected source (unless + user is admin). This addresses broken client software that issues updates + without being connected. + + Minor memory leaks + + XSPF file installation + + Fix case of global listeners count becoming out of sync. + + Setting an interval of 0 in mount should disable shoutcast metadata inserts. + + * authentication: + + Sources can now be authenticated via URL, like listeners. Post info is + "action=stream_auth&mount=/stream&ip=IP&server=SERVER&port=8000&user=fred&pass=pass" + As admin requests can come in for a stream (eg metadata update) these + requests can be issued while stream is active. For these &admin=1 is added to + the POST details. + + * XSL update: + + automatically generate VCLT playlist like we do with M3U, the mountpoint + extension is .vclt + +- package updates: + * add systemd service file + * add logrotate configuration + * add Gentoo patches + * set pidfile directive in default config file to make it work with + systemd + * split out HTML documentation into -doc subpackage + +------------------------------------------------------------------- Old: ---- icecast-2.3.2.tar.bz2 New: ---- icecast-2.3.3-fix-xiph_openssl.patch icecast-2.3.3-libkate.patch icecast-2.3.3.tar.gz icecast-add_pidfile_directive.patch icecast.logrotate icecast.rpmlintrc icecast.service ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ icecast.spec ++++++ --- /var/tmp/diff_new_pack.3i2Y48/_old 2013-06-05 17:42:31.000000000 +0200 +++ /var/tmp/diff_new_pack.3i2Y48/_new 2013-06-05 17:42:31.000000000 +0200 @@ -17,19 +17,25 @@ Name: icecast -Version: 2.3.2 +Version: 2.3.3 Release: 0 Summary: Audio Streaming Server License: GPL-2.0+ Group: Productivity/Networking/Web/Servers Url: http://www.icecast.org/ -Source: %{name}-%{version}.tar.bz2 +Source: http://downloads.xiph.org/releases/icecast/icecast-%{version}.tar.gz Source1: icecast.init +Source2: icecast.service +Source3: icecast.logrotate +Source99: icecast.rpmlintrc # PATCH-MISSING-TAG -- See http://en.opensuse.org/openSUSE:Packaging_Patches_guidelines Patch0: icecast-2.3.1_runas_icecast_user.patch # PATCH-MISSING-TAG -- See http://en.opensuse.org/openSUSE:Packaging_Patches_guidelines Patch1: icecast-fix-no-add-needed.patch Patch2: icecast-2.3.2-CVE-2011-4612.diff +Patch3: icecast-add_pidfile_directive.patch +Patch4: http://data.gpo.zugaina.org/gentoo/net-misc/icecast/files/icecast-2.3.3-libkate.patch +Patch5: http://data.gpo.zugaina.org/gentoo/net-misc/icecast/files/icecast-2.3.3-fix-xiph_openssl.patch BuildRequires: curl-devel BuildRequires: libtheora-devel BuildRequires: libtool @@ -37,21 +43,45 @@ BuildRequires: libxslt-devel BuildRequires: openssl-devel BuildRequires: speex-devel +%if 0%{?suse_version} >= 1140 +%if 0%{?suse_version} > 1220 +%define _unitdir /usr/lib/systemd +%else +%define _unitdir /lib/systemd +%endif +BuildRequires: systemd +%{?systemd_requires} +%endif PreReq: %fillup_prereq PreReq: %insserv_prereq PreReq: /usr/sbin/groupadd PreReq: /usr/sbin/useradd +Recommends: logrotate BuildRoot: %{_tmppath}/%{name}-%{version}-build %description Icecast is a MP3 and OGG streaming server able to serve many clients with MP3 and OGG audio. +%package doc +Summary: Documentation for Icecast +Group: Documentation/Other + +%description doc +Icecast is a MP3 and OGG streaming server able to serve many clients +with MP3 and OGG audio. + +This package contains the upstream HTML documentation and the sample +configuration files from upstream. + %prep %setup -q %patch0 %patch1 -%patch2 -p1 +%patch2 +%patch3 +%patch4 -p1 +%patch5 -p1 %build autoreconf -fiv @@ -65,40 +95,80 @@ install -d -m 0755 %{buildroot}%{_sbindir} install -D -m 0755 %{SOURCE1} %{buildroot}%{_sysconfdir}/init.d/%{name} ln -s -f %{_sysconfdir}/init.d/%{name} %{buildroot}%{_sbindir}/rc%{name} +%if 0%{?suse_version} >= 1140 +# service file +install -d "%{buildroot}%{_unitdir}/system" +install -D -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/system/icecast.service +%endif # create missing dirs install -d -m 0755 %{buildroot}%{_localstatedir}/{lib,log}/%{name} +# logrotate +install -D -m 0644 %{SOURCE3} %{buildroot}/etc/logrotate.d/%{name} + +D=%{buildroot}%{_docdir}/%{name} +install -d "$D" +cp -a README AUTHORS COPYING NEWS TODO ChangeLog "$D/" +cp -a doc/*.{html,jpg,css} "$D/" +cp -a conf/*.dist "$D/" + %clean -[ %{buildroot} != "/" -a -d %{buildroot} ] && rm -rf %{buildroot} +%{?buildroot:%__rm -rf %{buildroot}} %pre /usr/sbin/groupadd -r %{name} &>/dev/null || : /usr/sbin/useradd -g %{name} -s /bin/false -r -c "Icecast streaming server" -d %{_localstatedir}/lib/%{name} %{name} &>/dev/null || : - -%post -%fillup_and_insserv %{name} +%if 0%{?suse_version} > 1140 +%service_add_pre %{name}.service +%endif %preun %stop_on_removal %{name} +%if 0%{?suse_version} > 1140 +%service_del_preun %{name}.service +%endif + +%post +%fillup_and_insserv %{name} +%if 0%{?suse_version} > 1140 +%service_add_post %{name}.service +%endif %postun %restart_on_update %{name} %insserv_cleanup +%if 0%{?suse_version} > 1140 +%service_del_postun %{name}.service +%endif %files %defattr(-,root,root) -%doc README AUTHORS COPYING NEWS TODO ChangeLog -%doc doc/*.html -%doc doc/*.jpg -%doc doc/*.css -%doc conf/*.dist +%dir %doc %{_docdir}/%{name} +%doc %{_docdir}/%{name}/README +%doc %{_docdir}/%{name}/AUTHORS +%doc %{_docdir}/%{name}/COPYING +%doc %{_docdir}/%{name}/NEWS +%doc %{_docdir}/%{name}/TODO +%doc %{_docdir}/%{name}/ChangeLog %config(noreplace) %attr(640,root,%{name}) %{_sysconfdir}/%{name}.xml +%config(noreplace) /etc/logrotate.d/%{name} %{_bindir}/icecast %{_datadir}/icecast %{_sbindir}/rc%{name} %{_sysconfdir}/init.d/%{name} +%if 0%{?suse_version} >= 1140 +%config %{_unitdir}/system/%{name}.service +%endif # TODO: enable chroot support in this dir %{_localstatedir}/lib/%{name} -%attr(755,%{name},%{name}) %{_localstatedir}/log/%{name} +%attr(750,%{name},%{name}) %{_localstatedir}/log/%{name} + +%files doc +%defattr(-,root,root) +%dir %doc %{_docdir}/%{name} +%doc %{_docdir}/%{name}/*.html +%doc %{_docdir}/%{name}/*.jpg +%doc %{_docdir}/%{name}/*.css +%doc %{_docdir}/%{name}/*.dist %changelog ++++++ icecast-2.3.2-CVE-2011-4612.diff ++++++ --- /var/tmp/diff_new_pack.3i2Y48/_old 2013-06-05 17:42:31.000000000 +0200 +++ /var/tmp/diff_new_pack.3i2Y48/_new 2013-06-05 17:42:31.000000000 +0200 @@ -1,11 +1,7 @@ ---- - src/fserve.c | 22 ++++++++++++++++++++++ - 1 file changed, 22 insertions(+) - ---- a/src/fserve.c -+++ b/src/fserve.c -@@ -395,6 +395,19 @@ int fserve_client_create (client_t *http - int xspf_requested = 0, xspf_file_available = 1; +--- src/fserve.c.orig 2013-06-04 23:27:51.958232557 +0200 ++++ src/fserve.c 2013-06-04 23:28:58.929312505 +0200 +@@ -410,6 +410,19 @@ + int xslt_playlist_file_available = 1; ice_config_t *config; FILE *file; + char *filtered_path, *p; @@ -15,77 +11,56 @@ + */ + filtered_path = strdup(path); + if (!filtered_path) -+ return -1; ++ return -1; + for (p = filtered_path; *p; p++) { + if (*p == '\r' || *p == '\n') -+ *p = '_'; ++ *p = '_'; + } + path = filtered_path; fullpath = util_get_path_from_normalised_uri (path); - INFO2 ("checking for file %s (%s)", path, fullpath); -@@ -414,6 +427,7 @@ int fserve_client_create (client_t *http - WARN2 ("req for file \"%s\" %s", fullpath, strerror (errno)); + INFO2 ("checking for file %H (%H)", path, fullpath); +@@ -432,6 +445,7 @@ + WARN2 ("req for file \"%H\" %s", fullpath, strerror (errno)); client_send_404 (httpclient, "The file you requested could not be found"); free (fullpath); -+ free (filtered_path); ++ free (filtered_path); return -1; } m3u_file_available = 0; -@@ -462,6 +476,7 @@ int fserve_client_create (client_t *http +@@ -480,6 +494,7 @@ fserve_add_client (httpclient, NULL); free (sourceuri); free (fullpath); -+ free (filtered_path); ++ free (filtered_path); return 0; } - if (xspf_requested && xspf_file_available == 0) -@@ -475,6 +490,8 @@ int fserve_client_create (client_t *http - free (reference); - admin_send_response (doc, httpclient, TRANSFORMED, "xspf.xsl"); - xmlFreeDoc(doc); -+ free (fullpath); -+ free (filtered_path); - return 0; - } - -@@ -486,6 +503,7 @@ int fserve_client_create (client_t *http + if (xslt_playlist_requested && xslt_playlist_file_available == 0) +@@ -504,6 +519,7 @@ client_send_404 (httpclient, "The file you requested could not be found"); config_release_config(); free (fullpath); -+ free (filtered_path); ++ free (filtered_path); return -1; } config_release_config(); -@@ -495,6 +513,7 @@ int fserve_client_create (client_t *http +@@ -513,6 +529,7 @@ client_send_404 (httpclient, "The file you requested could not be found"); - WARN1 ("found requested file but there is no handler for it: %s", fullpath); + WARN1 ("found requested file but there is no handler for it: %H", fullpath); free (fullpath); -+ free (filtered_path); ++ free (filtered_path); return -1; } -@@ -504,6 +523,7 @@ int fserve_client_create (client_t *http - WARN1 ("Problem accessing file \"%s\"", fullpath); +@@ -522,9 +539,11 @@ + WARN1 ("Problem accessing file \"%H\"", fullpath); client_send_404 (httpclient, "File not readable"); free (fullpath); -+ free (filtered_path); ++ free (filtered_path); return -1; } free (fullpath); -@@ -594,6 +614,7 @@ int fserve_client_create (client_t *http - - stats_event_inc (NULL, "file_connections"); - fserve_add_client (httpclient, file); -+ free (filtered_path); - - return 0; - -@@ -603,6 +624,7 @@ fail: - sock_write (httpclient->con->sock, - "HTTP/1.0 416 Request Range Not Satisfiable\r\n\r\n"); - client_destroy (httpclient); + free (filtered_path); - return -1; - } + content_length = file_buf.st_size; + range = httpp_getvar (httpclient->parser, "range"); ++++++ icecast-2.3.3-fix-xiph_openssl.patch ++++++ Index: icecast-2.3.3/m4/xiph_openssl.m4 =================================================================== --- icecast-2.3.3.orig/m4/xiph_openssl.m4 +++ icecast-2.3.3/m4/xiph_openssl.m4 @@ -10,7 +10,7 @@ AC_ARG_WITH(openssl, AC_HELP_STRING([--with-openssl=PFX],[Prefix where openssl is installed (optional)]), openssl_prefix="$withval", openssl_prefix="") -if test "x$openssl_prefix" != "x" -a "x$openssl_prefix" != "xyes"; then +if test "x$openssl_prefix" != "x" -a "x$openssl_prefix" != "xyes" -a "x$openssl_prefix" != "xno"; then OPENSSL_LIBS="-L$openssl_prefix/lib -lssl" OPENSSL_CFLAGS="-I$openssl_prefix/include" else ++++++ icecast-2.3.3-libkate.patch ++++++ Index: icecast-2.3.3/configure.in =================================================================== --- icecast-2.3.3.orig/configure.in +++ icecast-2.3.3/configure.in @@ -81,14 +81,18 @@ XIPH_PATH_SPEEX( [ AC_MSG_WARN([Speex support disabled!]) ]) -AC_CHECK_LIB(kate, kate_decode_init,[have_kate=yes],[have_kate=no], -logg) -if test "x$have_kate" == "xyes" +AC_ARG_ENABLE([kate], AS_HELP_STRING([--disable-kate], [Disable karaoke and text encapsulation support for ogg])) +if test "x$enable_kate" != "xno" then - AC_CHECK_LIB(oggkate, kate_ogg_decode_headerin,[have_kate=yes],[have_kate=no],-lkate -logg) + AC_CHECK_LIB(kate, kate_decode_init,[have_kate=yes],[have_kate=no], -logg) if test "x$have_kate" == "xyes" then - KATE_LIBS="-loggkate -lkate -logg" - AC_DEFINE([HAVE_KATE],[1],[Define if you have libkate]) + AC_CHECK_LIB(oggkate, kate_ogg_decode_headerin,[have_kate=yes],[have_kate=no],-lkate -logg) + if test "x$have_kate" == "xyes" + then + KATE_LIBS="-loggkate -lkate -logg" + AC_DEFINE([HAVE_KATE],[1],[Define if you have libkate]) + fi fi fi dnl we still use format_kate as it doesn't need libkate to work ++++++ icecast-add_pidfile_directive.patch ++++++ --- conf/icecast.xml.in.orig 2013-06-05 01:46:14.664301324 +0200 +++ conf/icecast.xml.in 2013-06-05 01:47:00.851343292 +0200 @@ -138,7 +138,7 @@ <logdir>@localstatedir@/log/@PACKAGE@</logdir> <webroot>@pkgdatadir@/web</webroot> <adminroot>@pkgdatadir@/admin</adminroot> - <!-- <pidfile>@pkgdatadir@/icecast.pid</pidfile> --> + <pidfile>@localstatedir@/run/icecast.pid</pidfile> <!-- Aliases: treat requests for 'source' path as being for 'dest' path May be made specific to a port or bound address using the "port" ++++++ icecast-fix-no-add-needed.patch ++++++ --- /var/tmp/diff_new_pack.3i2Y48/_old 2013-06-05 17:42:31.000000000 +0200 +++ /var/tmp/diff_new_pack.3i2Y48/_new 2013-06-05 17:42:31.000000000 +0200 @@ -1,14 +1,14 @@ ---- configure.in.orig -+++ configure.in +--- configure.in.orig 2013-06-04 23:21:32.945687628 +0200 ++++ configure.in 2013-06-04 23:30:16.635405784 +0200 @@ -1,6 +1,7 @@ - AC_INIT([Icecast], [2.3.2], [[email protected]]) + AC_INIT([Icecast], [2.3.3], [[email protected]]) AC_PREREQ(2.54) +AC_CONFIG_MACRO_DIR([m4]) AC_CONFIG_SRCDIR(src/main.c) dnl Process this file with autoconf to produce a configure script. -@@ -8,7 +9,8 @@ AM_INIT_AUTOMAKE +@@ -8,7 +9,8 @@ AM_CONFIG_HEADER(config.h) AM_MAINTAINER_MODE @@ -18,19 +18,10 @@ AC_CANONICAL_HOST AC_PROG_LIBTOOL AC_SYS_LARGEFILE -@@ -22,7 +24,6 @@ if test -z "$GCC"; then - else - XIPH_CPPFLAGS="-Wall -ffast-math -fsigned-char" - PROFILE="-pg -g" -- AC_DEFINE([_GNU_SOURCE], 1, [Define to include GNU extensions to POSIX]) - fi - - dnl Checks for programs. -@@ -49,10 +50,12 @@ AC_SEARCH_LIBS(nanosleep, rt posix4, AC_ - XIPH_NET +@@ -50,9 +52,12 @@ dnl -- configure options -- -- + +XIPH_PATH_XML XIPH_PATH_XSLT XIPH_VAR_APPEND([XIPH_CPPFLAGS],[$XSLT_CFLAGS]) ++++++ icecast.logrotate ++++++ /var/log/icecast/*log { missingok notifempty sharedscripts postrotate /sbin/service icecast reload > /dev/null 2>&1 || true endscript } ++++++ icecast.rpmlintrc ++++++ addFilter("non-etc-or-var-file-marked-as-conffile /usr/lib/systemd/system/icecast.service") addFilter("suse-logrotate-user-writable-log-dir /var/log/icecast icecast:icecast 0750") ++++++ icecast.service ++++++ # This file is part of package postfix. # # Copyright (c) 2013 Pascal Bleser <[email protected]> # Authors: # * Pascal Bleser # * http://pyn00b.blogspot.be/2012/11/life-with-systemd-part-2.html # * Werner Fink for the postfix.service file # # Description: # # Used to start the Icecast server. # [Unit] Description=Icecast Server Requires=var-run.mount network.target remote-fs.target syslog.target time-sync.target After=var-run.mount network.target remote-fs.target syslog.target time-sync.target [Service] ExecStart=/usr/bin/icecast -b -c /etc/icecast.xml ExecReload=/bin/kill -HUP $MAINPID ExecStop=/bin/kill -TERM $MAINPID Type=forking PIDFile=/var/run/icecast.pid [Install] WantedBy=multi-user.target -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
