affected by CVE-2018-18820 - buffer overflow in url-auth ?

[marillat]

I don't know if the kh version is affected by this CVE issue. See https://seclists.org/oss-sec/2018/q4/122 for details

[edglazer]

Looking at the auth_url.c, line 503 has the code: poffset = snprintf (post, sizeof (post),

which seems to be analogous to the code: post_offset += snprintf(post + post_offset,

identified in this article as the problem code. I'm not very familiar with C, however, and I note that there is no iterator in Karl's code, so his version might not be exploitable in the same way?

The fix is shown in this commit, which I'm including, in the case that it is helpful.

[karlheyes]

had a look over the weekend. I had merged the code for the headers with minor differences but had not completely checked it for the offset bug. I've committed a fix for that and should be ok. will need to catch up on other reports before cutting a release.

karl.

[asantoni]

@karlheyes - Could we please get a simple yes or no answer as to whether the current 2.4.0-kh10 release is vulnerable? (I don't understand your previous reply.)

Thanks!

[karlheyes]

The fix is in the master tree, just not cut as a release. kh10 is affected as the code was merged from the xiph codebase but not verified. I'll cut a kh11 shortly.

karl

[addisoncrump]

Status? This is high-priority for us.

[karlheyes]

The original code was merged back in kh8 and subsequently updated by kh11 to include a fix that is similar (different logging) in operation. Nothing has been changed in that regard since then

karl

[neginhsobhani]

Does anyone know if the vulnerability is fixed in the latest version which is 2.4.0.kh22?

[karlheyes]

A fix has been in for some time, although back around kh17, the way the POST is created was changed (now a generic mechanism used by different parts of icecast) so not only is that buffer issue not there, but the limitations on the lengths of the POST fields are no longer there.

karl

[neginhsobhani]

@karlheyes thanks for your response.