Description: Icecast before 2.4.0 does not change the supplementary group privileges
             when <changeowner> is configured, which allows local users to gain
             privileges via unspecified vectors.
Source: https://trac.xiph.org/changeset/19137/
CVE: CVE-2014-9091

Index: icecast/trunk/icecast/src/main.c
===================================================================
--- a/src/main.c
+++ b/src/main.c
@@ -391,12 +391,13 @@
        }
 
-       if(gid != -1) {
+       if(uid != (uid_t)-1 && gid != (gid_t)-1) {
            if(!setgid(gid))
                fprintf(stdout, "Changed groupid to %i.\n", (int)gid);
            else
                fprintf(stdout, "Error changing groupid: %s.\n", strerror(errno));
-       }
-
-       if(uid != -1) {
+           if(!initgroups(conf->user, gid))
+               fprintf(stdout, "Changed supplementary groups based on user: %s.\n", conf->user);
+           else
+               fprintf(stdout, "Error changing supplementary groups: %s.\n", strerror(errno));
            if(!setuid(uid))
                fprintf(stdout, "Changed userid to %i.\n", (int)uid);
