Arch Linux ASA-201411-32 Critical: Icecast Info Leak Issue

Arch Linux Security Advisory ASA-201411-32
=========================================
Severity: Critical
Date    : 2014-11-28
CVE-ID  : CVE-2014-9018
Package : icecast
Type    : information leak
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE-2014

Summary
======
The package icecast before version 2.4.1-1 is vulnerable to information
leak.

Resolution
=========
Upgrade to 2.4.1-1.

# pacman -Syu "icecast>=2.4.1-1"

The problem has been fixed upstream in version 2.4.1.

Workaround
=========
Disable on-connect and on-disconnect scripts.

Description
==========
It was reported that Icecast could possibly leak the contents of
on-connect scripts to clients, which may contain sensitive information.

If on-connect/on-disconnect scripts are used, file descriptors of the
server process remain open and could be written to or read from. Most
pressing STDIN, STDOUT, STDERR are handled.
Further all file descriptors up to 1024 are closed. There is a remaining
(much lower) risk in combination of either a malicious or susceptible
script and FDs above 1024.

Impact
=====
A remote attacker may be able to extract sensitive information from the
process memory, including but not limited to passwords.

References
=========
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9018
https://icecast.org/news/icecast-release-2_4_1/
https://bugs.archlinux.org/task/42912
https://seclists.org/oss-sec/2014/q4/716