mailing list archives
Re: [linux-security] Minicom 1.75 Vulnerability
From: jhenders () BOGON COM (John Henders)
Date: Mon, 10 Feb 1997 06:15:18 -0800
On Feb 10, jason () redline ru (Dmitry E. Kim) wrote:
well, here is another standard buffer overrun vulnerability, which may
sometimes lead to root compromise (not always. not in new distributions,
fortunately). Current Slackware and current RedHat don't install minicom
suid root, only sgid/uucp, which is not *that* dangerous. But when you
build minicom from source, it asks you to do "chmod +s" on it.
Vulnerability in minicom allows (certain) local users to obtain group
"uucp" privileges and, in certain cases, root privileges.
Unless it's changed recently, minicom also requires you to be in a
minicom.users file to use it at all, which alleviates the risk somewhat.
The idea of allowing public users of a system unrestricted access to a
dialout port is pretty scarey on it's own, so I would hope anyone using
minicom would be pretty careful about who was in that file.
Artificial Intelligence stands no chance against Natural Stupidity.
GAT d- -p+(--) c++++ l++ u++ t- m--- W--- !v
b+++ e* s-/+ n-(?) h++ f+g+ w+++ y*