Bug 907300 - (CVE-2014-9091) VUL-0: CVE-2014-9091: icecast: supplementary groups are not overriden
(CVE-2014-9091)
VUL-0: CVE-2014-9091: icecast: supplementary groups are not overriden
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other openSUSE 13.2
: P5 - None : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/111044/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-11-26 11:35 UTC by Johannes Segitz
Modified: 2015-02-19 07:03 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2014-11-26 11:35:17 UTC
rh#1168146

t was found that when the UID and GID were changed in the <changeowner> section of the /etc/icecast.xml file, the supplementary groups were left in place. This could allow an attacker to escalate their privileges if the <changeowner> configuration was used.

The fix was added in version 2.4.0.

References:
http://icecast.org/news/icecast-release-2_4_0/
https://trac.xiph.org/changeset/19137/
http://seclists.org/oss-sec/2014/q4/802
https://bugzilla.redhat.com/show_bug.cgi?id=1168146
Comment 1 Bernhard Wiedemann 2014-11-26 14:00:28 UTC
This is an autogenerated message for OBS integration:
This bug (907300) was mentioned in
https://build.opensuse.org/request/show/263121 12.3 / icecast
https://build.opensuse.org/request/show/263122 13.1 / icecast
Comment 2 Takashi Iwai 2014-11-26 21:14:38 UTC
I submitted the fixed packages to openSUSE 12.3 and 13.1.
oS 13.2 has already icecast 2.4.0, and SLE don't contain this package.
Comment 3 Swamp Workflow Management 2014-12-08 16:06:10 UTC
openSUSE-SU-2014:1591-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 906538,907300
CVE References: CVE-2014-9018,CVE-2014-9091
Sources used:
openSUSE 13.1 (src):    icecast-2.3.3-2.12.1
openSUSE 12.3 (src):    icecast-2.3.2-72.4.1