Xiph.Org issueshttps://gitlab.xiph.org/groups/xiph/-/issues2018-11-13T09:03:30Zhttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2357Alias for <role type="anonymous" deny-all="*">2018-11-13T09:03:30ZPhilipp SchafftAlias for <role type="anonymous" deny-all="*">@ePirat suggested that it would be nice to have an alias for <role type="anonymous" deny-all="*"> that only accepts matching options as well as deny-options. His main reason was to help users not to in-correctly use allow-all="*" as they...@ePirat suggested that it would be nice to have an alias for <role type="anonymous" deny-all="*"> that only accepts matching options as well as deny-options. His main reason was to help users not to in-correctly use allow-all="*" as they may not understand that it actually *is* the opposite of deny-all="*".
Maybe this should be more generalized and a kind of access profiles should be used like:
* deny-all
* listener
* source client
* admin
See also: #2353Thomas B. RückerThomas B. Rückerhttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2356Icecast does not handle HTTP Upgrade as to RFC2018-12-14T03:48:15ZPhilipp SchafftIcecast does not handle HTTP Upgrade as to RFCCurrently Icecast 2.5.x does not handle HTTP upgrades correctly. It does not send the final reply to the request doing the upgrade.Currently Icecast 2.5.x does not handle HTTP upgrades correctly. It does not send the final reply to the request doing the upgrade.Philipp SchafftPhilipp Schaffthttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2355DoS vector using incorrect TLS teardown2018-12-07T13:48:18ZPhilipp SchafftDoS vector using incorrect TLS teardownWhen in a TLS SOURCE connection the socket is closed without TLS teardown Icecast will read from the socket in a tight endless loop. This locks up the corresponding thread.
Affected at least: Icecast 2.4.4, Icecast 2.5 beta 2.
May be re...When in a TLS SOURCE connection the socket is closed without TLS teardown Icecast will read from the socket in a tight endless loop. This locks up the corresponding thread.
Affected at least: Icecast 2.4.4, Icecast 2.5 beta 2.
May be related to OpenSSL version. Tested with version 1.0.1t.Philipp SchafftPhilipp Schaffthttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2354Improve way of what URI is sent to YP2022-03-21T23:14:53ZPhilipp SchafftImprove way of what URI is sent to YPAt this point the URI sent to YP servers is based on the hostname and global port setting. However this does not work with TLS enabled and may not work for more complex setups with internal-/external-split (including different hostnames)...At this point the URI sent to YP servers is based on the hostname and global port setting. However this does not work with TLS enabled and may not work for more complex setups with internal-/external-split (including different hostnames).
An attribute to the `<directory>` tag should be added that takes the ID of a `<listen-socket>` on which behalf the YP submission should be made. That `<listen-socket>` may be `type="virtual"`.
See: #2171Marvin ScholzMarvin Scholzhttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2353Rename auth backend "anonymous"2023-03-09T14:07:53ZPhilipp SchafftRename auth backend "anonymous"Currently the backend that matches all users is called "`anonymous`". This is technically correct by the way how it works and what it initially was meant to be used for. However that name might be misleading as to not match logged in use...Currently the backend that matches all users is called "`anonymous`". This is technically correct by the way how it works and what it initially was meant to be used for. However that name might be misleading as to not match logged in users.
I suggest that it should be renamed. The name "anonymous" would become an alias to ensure older configurations can still be read.
What new name should it have?Thomas B. RückerThomas B. Rückerhttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2352`<resource>` should allow `<authentication>`, and `<http-headers>`2018-11-05T08:07:15ZPhilipp Schafft`<resource>` should allow `<authentication>`, and `<http-headers>``<resource>`s should allow to set resource specific `<authentication>`, and `<http-headers>`.
This depends on: #2349 (for refobject and to-be-written lists)`<resource>`s should allow to set resource specific `<authentication>`, and `<http-headers>`.
This depends on: #2349 (for refobject and to-be-written lists)Philipp SchafftPhilipp Schaffthttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2351Multiple ACLs per Role2020-10-18T16:15:17ZPhilipp SchafftMultiple ACLs per RoleIcecast should support multiple ACLs per role.
This is useful with matching in ACLs. It allows to authenticate a user and after that decide what access that user has based on matching.
Depends on: #2349 (for to-be-written lists), and #...Icecast should support multiple ACLs per role.
This is useful with matching in ACLs. It allows to authenticate a user and after that decide what access that user has based on matching.
Depends on: #2349 (for to-be-written lists), and #2350 (for matching).Philipp SchafftPhilipp Schaffthttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2350Common matching frame work2019-01-22T06:31:38ZPhilipp SchafftCommon matching frame workCurrently the following parts of Icecast do client and client-status matching:
* `<resource>`
* `<role>` (auth)
* `<header>` (child of `<http-headers>`)
* `<event>` (child of `<event-bindings>`)
We also expect the following new users so...Currently the following parts of Icecast do client and client-status matching:
* `<resource>`
* `<role>` (auth)
* `<header>` (child of `<http-headers>`)
* `<event>` (child of `<event-bindings>`)
We also expect the following new users soon:
* `<acl>` (child of `<auth>`)
A common framework should be written to allow implementing matching.
This depends on #2349 (for refobject).Philipp SchafftPhilipp Schaffthttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2349Icecast should use libigloo2022-03-16T01:46:29ZPhilipp SchafftIcecast should use libigloocommon/ is currently made into libigloo. Icecast should use libigloo. This ticket is about adding libigloo and using it as replacement to common/common/ is currently made into libigloo. Icecast should use libigloo. This ticket is about adding libigloo and using it as replacement to common/Philipp SchafftPhilipp Schaffthttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2348Auth backend for enforcing initial 4012019-04-23T13:54:32ZPhilipp SchafftAuth backend for enforcing initial 401There should be an auth backend that enforces an initial 401 reply.
This would be useful to off-load generation of those initial replies from other backends such as the URL auth backend.
This works by:
```
If (!user || !password) {
...There should be an auth backend that enforces an initial 401 reply.
This would be useful to off-load generation of those initial replies from other backends such as the URL auth backend.
This works by:
```
If (!user || !password) {
return failed;
} else {
return no match;
}
```Philipp SchafftPhilipp Schaffthttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2347ACL should support names2020-10-15T14:20:49ZPhilipp SchafftACL should support namesACLs should support name=""s just like Roles do for easier administration.
This will become more important when Icecast will support multiple ACLs per Role.ACLs should support name=""s just like Roles do for easier administration.
This will become more important when Icecast will support multiple ACLs per Role.Philipp SchafftPhilipp Schaffthttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2346Icecast does not support absolute-form, and authority-form requests2018-11-06T08:33:24ZPhilipp SchafftIcecast does not support absolute-form, and authority-form requestsIcecast currently does not support absolute-form, and authority-form requests as per Section 5.3.2/5.3.3 of RFC7230. This is a "MUST" requirement as per RFC.Icecast currently does not support absolute-form, and authority-form requests as per Section 5.3.2/5.3.3 of RFC7230. This is a "MUST" requirement as per RFC.Philipp SchafftPhilipp Schaffthttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2345For close-only-review2018-11-09T07:32:50ZPhilipp SchafftFor close-only-reviewThe following tasks should be closed as they are or re-opened for review as per comment.
* [x] #2085
* [x] #2057
* [x] #2017
* [x] #2171
* [x] #1195
* [x] #1296The following tasks should be closed as they are or re-opened for review as per comment.
* [x] #2085
* [x] #2057
* [x] #2017
* [x] #2171
* [x] #1195
* [x] #1296Thomas B. RückerThomas B. Rückerhttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2344Crash Icecast 2.4.3 on CentOS 7.52020-10-18T15:38:53ZMichelCrash Icecast 2.4.3 on CentOS 7.5Hi,
We running Icecast v2.4.3 on the Last version of CentOS Linux release 7.5.1804 (Core).
And its crash every 3 a 4 days. We see in the systemlog:
kernel: traps: icecast[5425] general protection ip:7ff3b209cc19 sp:7ffc63b5a910 error:0...Hi,
We running Icecast v2.4.3 on the Last version of CentOS Linux release 7.5.1804 (Core).
And its crash every 3 a 4 days. We see in the systemlog:
kernel: traps: icecast[5425] general protection ip:7ff3b209cc19 sp:7ffc63b5a910 error:0 in libssl.so.1.0.2k[7ff3b2070000+67000]
We run OpenSSL 1.0.2k-fips 26 Jan 2017 on CentOS 7.5 using the last updates.
We use dual stack ipv4/ipv6 and run on ssl and streaming on flac, opus and mp3.
Best regards,
Michelhttps://gitlab.xiph.org/xiph/icecast-libshout/-/issues/2302libshout allows setting ice*-headers with \n2019-05-14T16:44:29ZPhilipp Schafftlibshout allows setting ice*-headers with \nCurrently libshout allows setting ice* headers with \n. This allows the user to send any header they want.
This has likely **no security implications**. However it may result in unexpected behaviour.
libshout should reject invalid data...Currently libshout allows setting ice* headers with \n. This allows the user to send any header they want.
This has likely **no security implications**. However it may result in unexpected behaviour.
libshout should reject invalid data as those headers do not support any kind of escaping.https://gitlab.xiph.org/xiph/icecast-server/-/issues/2343Add API endpoint to sets a mark in the log files2020-10-02T13:37:21ZPhilipp SchafftAdd API endpoint to sets a mark in the log filesThis is for debugging. The endpoint would write marker into the log file. This can be helpful to find things in busy logfiles more easily.
The marker could optionally include a user provided string and username+role of the user who requ...This is for debugging. The endpoint would write marker into the log file. This can be helpful to find things in busy logfiles more easily.
The marker could optionally include a user provided string and username+role of the user who requested the mark.https://gitlab.xiph.org/xiph/icecast-server/-/issues/2342Security vulnerability: buffer overflow in URL authentication allows remote c...2018-11-05T08:00:08ZNick RolfeSecurity vulnerability: buffer overflow in URL authentication allows remote code executionHello,
I would like to report a security vulnerability in the Icecast server.
## The bug
`url_add_client` in `auth_url.c` contains this call inside a loop:
```
post_offset += snprintf(post + post_offset,
sizeo...Hello,
I would like to report a security vulnerability in the Icecast server.
## The bug
`url_add_client` in `auth_url.c` contains this call inside a loop:
```
post_offset += snprintf(post + post_offset,
sizeof(post) - post_offset,
"&%s%s=%s",
url->prefix_headers ? url->prefix_headers : "",
cur_header, header_valesc);
```
If the string to be written is longer than `sizeof(post) - post_offset`, `snprintf` will truncate the string, but will return *the number of bytes it would have written if the buffer were large enough*. This means that `post_offset` is incremented to be larger than `sizeof(post)`, and any subsequent iteration of the loop will write beyond the end of the buffer.
## Proof of concept
I configured a mount using URL authentication that forwards two headers:
```
<mount type="normal">
<mount-name>/auth_url.ogg</mount-name>
<authentication type="url">
<option name="headers" value="x-foo,x-bar"/>
...
</authentication>
</mount>
```
My Icecast server was running on localhost, port 8000, and then I ran the following Bash script:
```
foo=$(python -c "print('a' * 3950)")
bar=123456789123456789
curl -H "x-foo: $foo" -H "x-bar: $bar" http://localhost:8000/auth_url.ogg
```
The `x-foo` header was truncated, but it caused `postoffset` to be incremented beyond the size of the buffer, as described above. The subsequent handling of the `x-bar` header overwrote other stack contents, causing my Icecast server to crash:
```
*** stack smashing detected ***: <unknown> terminated
Aborted (core dumped)
```
By controlling the length of the `x-foo` header, and the contents of the `x-bar` header, it seems likely that remote code execution would be possible.
## Related bug
Our automated analysis highlighted this bug, and another similar misuse of `snprintf` in `format_prepare_headers` in `format.c`, but I did not investigate whether that one would be exploitable.
Those analysis results are visible here: https://lgtm.com/projects/g/xiph/Icecast-Server/alerts/?mode=tree&ruleFocus=1505913226124
## Disclosure
Please let me know when you have fixed the vulnerability, so that we can coordinate our disclosure with yours. For reference, here is a link to our vulnerability disclosure policy: https://lgtm.com/security
Thanks!
--Nick Rolfe, Semmle Security Research TeamThomas B. RückerThomas B. Rückerhttps://gitlab.xiph.org/xiph/icecast-common/-/issues/4Library init/deinit functions2018-11-05T07:57:12ZPhilipp SchafftLibrary init/deinit functionsFunctions should be added to init/deinit the library.
Those functions should work in a reference counter way (maybe even using refobject) to allow the library to be used my multiple parts of the same process.Functions should be added to init/deinit the library.
Those functions should work in a reference counter way (maybe even using refobject) to allow the library to be used my multiple parts of the same process.Philipp SchafftPhilipp Schaffthttps://gitlab.xiph.org/xiph/icecast-common/-/issues/3Move all public headers into one directory2018-10-28T09:45:16ZPhilipp SchafftMove all public headers into one directoryCurrently all *pubic* headers are in the corresponding subdirectories but end up in the same installation directory. All the headers should be moved into a central directory.Currently all *pubic* headers are in the corresponding subdirectories but end up in the same installation directory. All the headers should be moved into a central directory.Marvin ScholzMarvin Scholzhttps://gitlab.xiph.org/xiph/icecast-server/-/issues/2341Improvements to auth_result and it's usage (more and better results)2018-10-27T17:00:55ZPhilipp SchafftImprovements to auth_result and it's usage (more and better results)The enum auth_result currently implements:
* "undefined": The code comments this as "XXX: ???",
* "ok": client passed the auth backend successfully,
* "failed": client did not pass (because of invalid credentials or because of backend ma...The enum auth_result currently implements:
* "undefined": The code comments this as "XXX: ???",
* "ok": client passed the auth backend successfully,
* "failed": client did not pass (because of invalid credentials or because of backend malfunction),
* "released": used internally for on-disconnect handlers,
* "forbidden": unused,
* "no match": client is unknown to this backend,
* "user added", "user exists", "user deleted": used by management functions.
I suggest to change this the following way:
* Make "forbidden" settable by auth backends for permanent no-passes. This would terminate any auth retry. It could be useful for when the client *IS* identified (credentials match) but the backend forbids access (user has been banned, access has been terminated, ...).
* Add "backend failed" that indicates a problem with the backend, not the credentials. Such failures would include non-responsive backend servers (e.g. with URL auth) or misconfiguration (e.g. invalid file for htpasswd auth).
* Add a "user modified" for management functions as the current set does not allow updating users (only delete-then-add-again patterns).Philipp SchafftPhilipp Schafft