Launchpad has imported 4 comments from the remote bug at
https://bugzilla.redhat.com/show_bug.cgi?id=768157.
If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
We are closing this bug report because it lacks the information we need
to investigate the problem, as described in the previous comments.
Please reopen it if you can give us the missing information, and don't
hesitate to submit bug reports in the future. To reopen the bug report
you can click on
Actually, Ubuntu 13.04 has the fix as part of 2.3.3-1ubuntu1:
icecast2 (2.3.3-1ubuntu1) raring; urgency=low
* Merge from debian unstable, remaining changes:
- 1004_fix_xmlCleanupParser_splatter.patch: Make sure that
xmlCleanupParser() is only called once: on exit. Doing otherwise
Debian has 2.3.3 http://packages.debian.org/source/unstable/icecast2 -
how about updating the ubuntu package based on that?
After all the release fixes 3 security issues (out of which probably 2
apply to the default ubuntu package).
--
You received this bug notification because you are a member
** Changed in: icecast2 (Ubuntu)
Status: In Progress = Incomplete
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/894782
Title:
Newline injection in error.log
To manage notifications about
** Changed in: gentoo
Status: Unknown = Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/894782
Title:
Newline injection in error.log
To manage notifications about this bug go to:
** Changed in: icecast
Status: New = Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/894782
Title:
Newline injection in error.log
To manage notifications about this bug go to:
Launchpad has imported 5 comments from the remote bug at
https://bugs.gentoo.org/show_bug.cgi?id=394847.
If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
xiph.org have just announced version 2.3.3, which includes a fix for
CVE-2011-4612 :
http://lists.xiph.org/pipermail/icecast/2012-June/012217.html
** Bug watch added: Debian Bug tracker #652663
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652663
** Also affects: icecast via
** Bug watch added: Gentoo Bugzilla #394847
http://bugs.gentoo.org/show_bug.cgi?id=394847
** Also affects: gentoo via
http://bugs.gentoo.org/show_bug.cgi?id=394847
Importance: Unknown
Status: Unknown
--
You received this bug notification because you are a member of Ubuntu
Bugs,
** Bug watch added: Novell/SUSE Bugzilla #737255
https://bugzilla.novell.com/show_bug.cgi?id=737255
** Also affects: opensuse via
https://bugzilla.novell.com/show_bug.cgi?id=737255
Importance: Unknown
Status: Unknown
--
You received this bug notification because you are a member
Launchpad has imported 7 comments from the remote bug at
https://bugzilla.novell.com/show_bug.cgi?id=737255.
If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
** Changed in: icecast
Status: Unknown = New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/894782
Title:
Newline injection in error.log
To manage notifications about this bug go to:
Zubin, thank you for your work on these patches. Unfortunately, they are
still being patched directly, rather than using the quilt patches system
(notice the debian/patches directory-- your patch should be in this
directory). As mentioned, please see http://pkg-
Hi Steve,
I've corrected the above mentioned issues; please find attached a patch
for lucid; I'll attach a patch for maverick and pass it over upstream
asap.
Cheers!
** Patch added: icecast2_2.3.2-5ubuntu1.10.04.1.debdiff
Hi,
I've attached the patch for maverick along.
** Patch added: icecast2_2.3.2-5ubuntu1.10.10.1.debdiff
https://bugs.launchpad.net/ubuntu/+source/icecast2/+bug/894782/+attachment/2787444/+files/icecast2_2.3.2-5ubuntu1.10.10.1.debdiff
--
You received this bug notification because you are a
Oh, sorry, a couple of other comments:
- the icecast2 package uses quilt to manage patches, please add your fix to
the series of patches there (the Quilt for Debian Maintainers page
http://pkg-perl.alioth.debian.org/howto/quilt.html gives more information on
how to do that).
- maverick
Zubin, thanks for updating your patch. I see a couple of issues with
your patch:
- the filter loop quits when \0 is reached at the end of the existing
path, but never writes \0 to the end of the filtered string. Any
attempts to read the filtered string will run off the end of the
malloc(3)ed
Please find attached a new debdiff which replaces \r and \n with '_',
rather than trim the string.
** Patch added: icecast2_2.3.2-5ubuntu2.debdiff
https://bugs.launchpad.net/ubuntu/+source/icecast2/+bug/894782/+attachment/2767108/+files/icecast2_2.3.2-5ubuntu2.debdiff
--
You received this
Please find attached, a debdiff that patches the issue by trimming at
occurances of \r or \n. Tested on lenny. After applying the, you
have :-
$ echo -ne GET
/non-existent''%20No%20such%20file%20or%20directory%0d%0a[1970-01-01%20%2000:00:00]%20PHUN%20I'm%20feeling%20phunny%0d%0a[`date
The attachment icecast2_2.3.2-5ubuntu2.debdiff of this bug report has
been identified as being a patch in the form of a debdiff. The ubuntu-
sponsors team has been subscribed to the bug report so that they can
review and hopefully sponsor the debdiff. In the event that this is in
fact not a
** Visibility changed to: Public
** Changed in: icecast2 (Ubuntu)
Status: New = Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/894782
Title:
Newline injection in error.log
To
Thank you for using Ubuntu and reporting a bug. Because icecast is in universe
and community supported, this issue has been forwarded to upstream and
oss-security:
http://www.openwall.com/lists/oss-security/2011/12/15/4
** Changed in: icecast2 (Ubuntu)
Importance: Undecided = Low
--
You
This is CVE-2011-4612
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2011-4612
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/894782
Title:
Newline injection in error.log
To
24 matches
Mail list logo
