More Icecast remote vulnerabilities

[John Viega <viega () LIST ORG>]

Following the announcement yesterday about buffer overflow
vulnerabilities in Icecast, Andreas Hasenack
<andreas () conectiva com br> identified several more likely buffer
overflow vulnerabilities.  Matt Messier <mmessier () prilnari com> took a
look, and determined that at least some of them are definitely
remotely exploitable.

Like the last round of vulnerabilities, these problems affect all
Icecast users.  The icecast team has released version 1.3.10 to
correct these new problems.  Everyone using icecast should upgrade
immediately.  The dist is available from www.icecast.org.

Also, to clarify Icecast 1.3.9 not only fixed several buffer overflows
we discovered, but it also (finally) fixed the format string
vulnerabilities that were announced here on bugtraq in January.

Finally, I'd like to encourage qualified people to seriously audit
Icecast (in particular, their forthcoming 2.0 version).  It's a widely
used piece of free software that hasn't had the benefit of that kind
of expert scrutiny yet.  Even though we looked at the code a bit, we
(unfortunately) do not have the time for a full audit.  The
development team is full of great people who are very humble, and
they'd appreciate any help that the community has to offer.

John