oreilly.comSafari Books Online.Conferences.


Security Alerts

mod_ssl Problems

by Noel Davis

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in mod_ssl, LibTIFF, mpg123, LessTif, the Cyrus SASL library, MySQL, CUPS, ProFTPD, and the Squid web proxy cache.


Apache's mod_ssl contains a buffer overflow that, when several conditions are met, may be exploitable to execute arbitrary code with the permissions of the user account running the web server. mod_ssl is only vulnerable to this buffer overflow when it has been configured with FakeBasicAuth enabled and when the attacker can create a certificate with a subject DN field longer than 6,000 characters that is then signed by a Certificate Authority that mod_ssl has been configured to trust. Affected users should upgrade to the latest available mod_ssl as soon as possible, and if possible, should turn FakeBasicAuth off until mod_ssl has been upgraded.


The library LibTIFF provides code to encode and decode images stored in TIFF (Tag Image File Format) format. LibTIFF is used by many applications, including applications distributed with both the GNOME and KDE desktops. Several buffer overflows have been discovered in LibTIFF. Under some conditions, these buffer overflows could be exploited in applications linked against LibTIFF. In some cases, exploiting these buffer overflows could lead to root compromise. Applications that have been statically linked to LibTIFF will require recompiling against the repaired library.

All users should watch their vendors for updated LibTIFF and any linked applications. Gentoo Linux has released a repaired version of LibTIFF and the xv image viewer. Debian GNU/Linux has updated their LibTIFF and Libtiff-tools packages. Trustix Secure Linux has updated their LibTIFF library package.


mpg123 is a fast MPEG (layer 1, 2, and 3) audio player for Unix systems. There is a bug in the code that mpg123 uses to process header files of MPEG files that may be exploitable using a carefully crafted MPEG layer 2 and 3 file. Successfully exploiting this bug will result in arbitrary code being executed with the permissions of the victim.

Users should watch their vendors for a repaired version of mpg123 and should exercise care in what MPEG files they play using mpg123.


LessTif is a clone of OSF/Motif, a standard user interface toolkit for building X Window applications under Linux and Unix. LessTif is reported to be vulnerable to multiple buffer overflows due to the inclusion of libXpm as a component of LessTif. An attacker could use a carefully crafted XPM file to exploit this vulnerability in a linked application. It should be noted for clarity that the problems in LessTif and LibTIFF are not related in any way, other than the names of the libraries being similar. Affected users should watch their vendors for updated packages. There is no known workaround; repaired packages have been released for Debian GNU/Linux.

The Cyrus SASL Library

The Simple Authentication and Security Layer (SASL) library is used to provide authentication for applications that connect over the network. The Cyrus implementation of the SASL library is reported to contain a bug that can be used by a local attacker to execute arbitrary code with, in many cases, root permissions. The bug is caused by the SASL library using the SASL_PATH environmental variable to find its libraries. By creating a malicious version of the library and pointing to it using the SASL_PATH variable, the attacker can execute arbitrary code. In addition, it has been reported that there is a buffer overflow in code contained in the digestmda5.c file. The details of exploiting this buffer overflow were not reported.

All affected users should watch their vendors for a repaired version of the Cyrus SASL library. Repaired versions have been released for Debian GNU/Linux, Mandrake Linux, Gentoo Linux, and Trustix Secure Linux distributions.


Several vulnerabilities and problems have been reported in the MySQL database server: a bug in the command ALTER TABLE ... RENAME, a bug that may (under some conditions) crash the server, and a buffer overflow in the function mysql_real_connect().

Debian has released a repaired MySQL package. Users of other distributions should watch their vendors or MySQL AB for an updated package or release.


CUPS, the Common Unix Printing System, has a bug that can leak to a local attacker the user ID and password used to connect to a remote SMB shared printer. The bug causes CUPS to log the username and password for the remote printer to a local log file.

It is recommended that any affected users should upgrade to version CUPS 1.1.22rc2 or newer as soon as possible.


The FTP server ProFTPD is reported to contain an information leak that can be exploited by a remote attacker to distinguish valid, special, and invalid account names. This attack could be used as part of the information-gathering phase leading to other attacks. A script to automate this information leak has been released to the public. Users should watch for a new version of ProFTPD that repairs the information leak.

The Squid Web Proxy Cache

Squid is a free open source web proxy cache server designed for Unix systems with many features, including the proxying and caching of HTTP, FTP, and other URL types; proxying for SSL; transparent caching; extensive access controls; HTTP server acceleration; SNMP; and the caching of DNS queries. A bug in the asn_parse_header() function contained in snmplib/asn1.c can be exploited by a remote attacker to crash the Squid server and cause a denial of service. This attack uses a single UDP packet. Users can test to see if their version of Squid was compiled with SNMP support and is vulnerable to this bug by using the command grep snmp_port /usr/local/squid/sbin/squid. If the command returns with no output, Squid is not vulnerable.

It is recommended that users upgrade to Squid-2.5.STABLE7 or newer. One workaround for this bug is to disable SNMP support by adding snmp_port 0 to the squid.conf file or by restricting SNMP connections to authorized hosts by adding something similar to snmp_incoming_address to the squid.conf file.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Read more Security Alerts columns.

Return to

Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Linux Resources
  • Linux Online
  • The Linux FAQ
  • Linux Kernel Archives
  • Kernel Traffic

  • Sponsored by: