Bugtraq mailing list archives
More Icecast remote vulnerabilities
From: John Viega <viega () LIST ORG>
Date: Tue, 13 Mar 2001 18:18:28 -0500
Following the announcement yesterday about buffer overflow vulnerabilities in Icecast, Andreas Hasenack <andreas () conectiva com br> identified several more likely buffer overflow vulnerabilities. Matt Messier <mmessier () prilnari com> took a look, and determined that at least some of them are definitely remotely exploitable. Like the last round of vulnerabilities, these problems affect all Icecast users. The icecast team has released version 1.3.10 to correct these new problems. Everyone using icecast should upgrade immediately. The dist is available from www.icecast.org. Also, to clarify Icecast 1.3.9 not only fixed several buffer overflows we discovered, but it also (finally) fixed the format string vulnerabilities that were announced here on bugtraq in January. Finally, I'd like to encourage qualified people to seriously audit Icecast (in particular, their forthcoming 2.0 version). It's a widely used piece of free software that hasn't had the benefit of that kind of expert scrutiny yet. Even though we looked at the code a bit, we (unfortunately) do not have the time for a full audit. The development team is full of great people who are very humble, and they'd appreciate any help that the community has to offer. John
Current thread:
- More Icecast remote vulnerabilities John Viega (Mar 14)