[v3.0] icecast: remote leak and privileges gaining (CVE-2014-9018, CVE-2014-9091)
CVE-2014-9018:
Icecast before 2.4.1 transmits the output of the on-connect script,
which might allow remote attackers to obtain sensitive information,
related to shared file descriptors.
•MLIST:[oss-security] 20141120 CVE request: icecast: possible leak of
on-connect scripts
•URL: http://www.openwall.com/lists/oss-security/2014/11/19/23
•MLIST:[oss-security] 20141120 Re: CVE request: icecast: possible leak
of on-connect scripts
•URL: http://www.openwall.com/lists/oss-security/2014/11/20/22
•CONFIRM: http://icecast.org/news/icecast-release-2\_4\_1/
•CONFIRM: https://trac.xiph.org/ticket/2087
•CONFIRM: https://trac.xiph.org/ticket/2089
•MANDRIVA:MDVSA-2014:231
•URL: http://www.mandriva.com/security/advisories?name=MDVSA-2014:231
•SUSE:openSUSE-SU-2014:1593
•URL: http://lists.opensuse.org/opensuse-updates/2014-12/msg00038.html
•BID:71312
•URL: http://www.securityfocus.com/bid/71312
•XF:icecast-cve20149091-priv-esc(98991)
•URL: http://xforce.iss.net/xforce/xfdb/98991
CVE-2014-9091:
Icecast before 2.4.0 does not change the supplementary group privileges
when is configured, which allows local users to gain
privileges via unspecified vectors.
•MLIST:[oss-security] 20141125 Re: Re: CVE request: icecast: possible
leak of on-connect scripts
•URL: http://seclists.org/oss-sec/2014/q4/794
•MLIST:[oss-security] 20141126 Re: CVE request: icecast: possible leak
of on-connect scripts
•URL: http://seclists.org/oss-sec/2014/q4/802
•CONFIRM: http://icecast.org/news/icecast-release-2\_4\_0/
•CONFIRM: https://bugzilla.redhat.com/show\_bug.cgi?id=1168146
•CONFIRM: https://trac.xiph.org/changeset/19137/
•SUSE:openSUSE-SU-2014:1591
•URL: http://lists.opensuse.org/opensuse-updates/2014-12/msg00037.html
(from redmine: issue id 3730, created on 2015-01-23, closed on 2017-08-07)
- Relations:
- parent #3727