By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.

A vulnerability discovered in Icecast streaming media server could be leveraged by an attacker to kill the broadcast of online radio stations that rely on it to reach their audience. The flaw is sufficient to trigger a segmentation fault in the server process - an access violation condition that leads to a crash. A theoretical risk exists for remote code execution. An attacker could achieve this with sufficiently long, specially crafted HTTP headers. Maintained by the Xiph.org Foundation, Icecast supports both audio and video data. Because it is available under a free software license and has support for open standards for communication, Icecast is a popular choice for creating an online radio station. A patch is included in the latest version of the software, whose changelog describes the issue as a buffer overflow that affects Icecast versions 2.4.0, 2.4.1, 2.4.2 or 2.4.3 "if there is a “mount” definition that enables URL authentication. The security bug stems from choosing the 'snprintf' function that redirects the data output to a buffer, over 'sprintf' to avoid buffer overflow issues by truncating the output if the buffer is not sufficiently large. Making this choice is not necessarily a safer bet when a specific condition is met. Nick Rolfe of Semmle Security Research Team says that the 'snprintf' function does not offer protection against buffer overflows "if you provide a size argument that's larger than the actual size of the buffer. "Follow this on OUR FORUM.