Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » FreeBSD security advisory - icecast

FreeBSD security advisory - icecast

by phiber on March 14th, 2001 The icecast software, versions prior to 1.3.7_1, contains multiple format string vulnerabilities, which allow a remote attacker to execute arbitrary code as the user running icecast, usually the root user.

There are a number of other potential abuses of format strings which may or may not pose security risks, but have not currently been audited.


The icecast port is not installed by default, nor is it "part of
FreeBSD" as such: it is part of the FreeBSD ports collection, which
contains nearly 4700 third-party applications in a ready-to-install
format. The ports collections shipped with FreeBSD 3.5.1 and 4.2
contain this problem since it was discovered after the releases.



FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.



Impact



Arbitrary remote users can execute arbitrary code on the local system
as the user running icecast, usually the root user.



If you have not chosen to install the icecast port/package, then your
system is not vulnerable to this problem.



Workaround



Deinstall the icecast port/package, if you have installed it.



Solution



Consider running the icecast software as a non-privileged user to
minimize the impact of further security vulnerabilities in this
software.

You can get icecast upgrades URL in the whole advisory, so download it.


Download this advisory

FreeBSD Security


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »