Shoutcast Server: Remote code execution — GLSA 200501-04

Shoutcast Server contains a possible buffer overflow that could lead to the execution of arbitrary code.

Affected packages

Package 	media-sound/shoutcast-server-bin on all architectures
Affected versions 	<= 1.9.4-r1
Unaffected versions 	>= 1.9.5

Background

Shoutcast Server is Nullsoft's streaming audio server. It runs on a variety of platforms, including Linux, and is extremely popular with Internet broadcasters.

Description

Part of the Shoutcast Server Linux binary has been found to improperly handle sprintf() parsing.

Impact

A malicious attacker could send a formatted URL request to the Shoutcast Server. This formatted URL would cause either the server process to crash, or the execution of arbitrary code.

Workaround

There is no known workaround at this time.

Resolution

All Shoutcast Server users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=media-sound/shoutcast-server-bin-1.9.5"

References

    BugTraq Announcement
    CVE-2004-1373