Re: [linux-security] Minicom 1.75 Vulnerability

[jhenders () BOGON COM (John Henders)]

On Feb 10, jason () redline ru (Dmitry E. Kim) wrote:
>   well, here is another standard buffer overrun vulnerability, which may
> sometimes lead to root compromise (not always. not in new distributions,
> fortunately). Current Slackware and current RedHat don't install minicom
> suid root, only sgid/uucp, which is not *that* dangerous. But when you
> build minicom from source, it asks you to do "chmod +s" on it.
>
> Summary:
>     Vulnerability in minicom allows (certain) local users to obtain group
>   "uucp" privileges and, in certain cases, root privileges.


Unless it's changed recently, minicom also requires you to be in a
minicom.users file to use it at all, which alleviates the risk somewhat.
The idea of allowing public users of a system unrestricted access to a
dialout port is pretty scarey on it's own, so I would hope anyone using
minicom would be pretty careful about who was in that file.

--
      Artificial Intelligence stands no chance against Natural Stupidity.
                GAT d- -p+(--) c++++ l++ u++ t- m--- W--- !v
                     b+++ e* s-/+ n-(?) h++ f+g+ w+++ y*