mod_ssl Problemsby Noel Davis
Welcome to Security Alerts, an overview of recent Unix and open source security
advisories. In this column, we look at problems in
LessTif, the Cyrus SASL library, MySQL, CUPS, ProFTPD, and the Squid web proxy cache.
mod_ssl contains a buffer overflow that, when several conditions are met,
may be exploitable to execute arbitrary code with the permissions of the user
account running the web server.
mod_ssl is only vulnerable to this buffer overflow
when it has been configured with
FakeBasicAuth enabled and when the attacker
can create a certificate with a subject DN field longer than 6,000 characters
that is then signed by a Certificate Authority that
mod_ssl has been configured
to trust. Affected users should upgrade to the latest available
soon as possible, and if possible, should turn
FakeBasicAuth off until
has been upgraded.
The library LibTIFF provides code to encode and decode images stored in TIFF (Tag Image File Format) format. LibTIFF is used by many applications, including applications distributed with both the GNOME and KDE desktops. Several buffer overflows have been discovered in LibTIFF. Under some conditions, these buffer overflows could be exploited in applications linked against LibTIFF. In some cases, exploiting these buffer overflows could lead to root compromise. Applications that have been statically linked to LibTIFF will require recompiling against the repaired library.
All users should watch their vendors for updated LibTIFF and any linked applications.
Gentoo Linux has released a repaired version of LibTIFF and the
xv image viewer.
Debian GNU/Linux has updated their LibTIFF and Libtiff-tools packages. Trustix
Secure Linux has updated their LibTIFF library package.
mpg123 is a fast MPEG (layer 1, 2, and 3) audio player for Unix systems. There
is a bug in the code that
mpg123 uses to process header files of MPEG files
that may be exploitable using a carefully crafted MPEG layer 2 and 3 file.
Successfully exploiting this bug will result in arbitrary code being executed
with the permissions of the victim.
Users should watch their vendors for a repaired version of
mpg123 and should
exercise care in what MPEG files they play using
LessTif is a clone of OSF/Motif, a standard user interface toolkit
for building X Window applications under Linux and Unix. LessTif is reported
to be vulnerable to multiple buffer overflows due to the inclusion of
as a component of LessTif. An attacker could use a carefully crafted XPM file
to exploit this vulnerability in a linked application. It should be noted for
clarity that the problems in LessTif and LibTIFF are not related in any way,
other than the names of the libraries being similar. Affected users should
watch their vendors for updated packages. There is no known workaround; repaired
packages have been released for Debian GNU/Linux.
The Simple Authentication and Security Layer (SASL) library is used to provide
authentication for applications that connect over the network. The Cyrus implementation
of the SASL library is reported to contain a bug that can be used by a local
attacker to execute arbitrary code with, in many cases, root permissions. The
bug is caused by the SASL library using the
SASL_PATH environmental variable
to find its libraries. By creating a malicious version of the library and pointing
to it using the
SASL_PATH variable, the attacker can execute arbitrary code.
In addition, it has been reported that there is a buffer overflow in code contained
in the digestmda5.c file. The details of exploiting this buffer overflow were
All affected users should watch their vendors for a repaired version of the Cyrus SASL library. Repaired versions have been released for Debian GNU/Linux, Mandrake Linux, Gentoo Linux, and Trustix Secure Linux distributions.
Several vulnerabilities and problems have been reported in the MySQL database
server: a bug in the command
ALTER TABLE ... RENAME, a bug that may
(under some conditions) crash the server, and a buffer overflow in the function
Debian has released a repaired MySQL package. Users of other distributions should watch their vendors or MySQL AB for an updated package or release.
CUPS, the Common Unix Printing System, has a bug that can leak to a local attacker the user ID and password used to connect to a remote SMB shared printer. The bug causes CUPS to log the username and password for the remote printer to a local log file.
It is recommended that any affected users should upgrade to version CUPS 1.1.22rc2 or newer as soon as possible.
The FTP server ProFTPD is reported to contain an information leak that can be exploited by a remote attacker to distinguish valid, special, and invalid account names. This attack could be used as part of the information-gathering phase leading to other attacks. A script to automate this information leak has been released to the public. Users should watch for a new version of ProFTPD that repairs the information leak.
Squid is a free open source web proxy cache server designed for Unix systems
with many features, including the proxying and caching of HTTP, FTP, and other
URL types; proxying for SSL; transparent caching; extensive access controls;
HTTP server acceleration; SNMP; and the caching of DNS queries. A bug in the
function contained in snmplib/asn1.c can be exploited by a remote attacker
to crash the Squid server and cause a denial of service. This attack uses a
single UDP packet. Users can test to see if their version of Squid was compiled
with SNMP support and is vulnerable to this bug by using the command
snmp_port /usr/local/squid/sbin/squid. If the command returns with no output,
Squid is not vulnerable.
It is recommended that users upgrade to Squid-2.5.STABLE7 or newer. One workaround
for this bug is to disable SNMP support by adding
snmp_port 0 to the squid.conf
file or by restricting SNMP connections to authorized hosts by adding something
snmp_incoming_address 127.0.0.1 to the squid.conf file.
Read more Security Alerts columns.
Return to LinuxDevCenter.com