-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ Caldera Systems, Inc. Security Advisory Subject: format string problems in minicom Advisory number: CSSA-2001-016.0 Issue date: 2001 May, 9 Cross reference: ______________________________________________________________________________ 1. Problem Description There are several format string bugs in minicom, a terminal emulator used for modem dialup. These bugs can be exploited to obtain group uucp privilege. In a posting to bugtraq, a claim was made that this can be exploited to obtain root privilege. However, the attack described in the posting does not work; at least it doesn't on OpenLinux. Users should nevertheless correct this problem as soon as possible by upgrading to the fixed package and/or by the included workaround. 2. Vulnerable Versions System Package ----------------------------------------------------------- OpenLinux 2.3 not vulnerable OpenLinux eServer 2.3.1 not vulnerable and OpenLinux eBuilder OpenLinux eDesktop 2.4 All packages previous to minicom-1.83.1-7D 3. Solution Workaround Either remove the setgid bit on minicom, or uninstall the package completely. To remove the setgid bit, chmod -s /usr/bin/minicom To uninstall the package: rpm -e minicom The proper solution is to upgrade to the latest packages. 4. OpenLinux 2.3 not vulnerable 5. OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0 not vulnerable 6. OpenLinux eDesktop 2.4 6.1 Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/ The corresponding source code package can be found at: ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS 6.2 Verification 533798d8d673601b1dc5c17981a92452 RPMS/minicom-1.83.1-7D.i386.rpm 90d71f60fe08d19d998702269c78aa34 SRPMS/minicom-1.83.1-7D.src.rpm 6.3 Installing Fixed Packages Upgrade the affected packages with the following commands: rpm -Fvh minicom-*i386.rpm The update package provided by Caldera removes the setgid bit from the minicom binary and uses a helper program called modem-envoy to open the device instead. The helper program uses a file named /etc/modemaccess.conf to decide whether a user is permitted to open a given device. The default setting is to allow everyone to open /dev/modem, which should be a symbolic link to the appropriate device file. That is, if your modem is attached to /dev/ttyS0 (aka COM1), /dev/modem should look like this: # ls -l /dev/modem lrwxrwxrwx 1 root root 10 May 15 2000 /dev/modem -> /dev/ttyS0 If the link doesn't exist, create it manually (as super user): # ln -sf ttyS0 /dev/modem 7. References This and other Caldera security resources are located at: http://www.calderasystems.com/support/security/index.html This security fix closes Caldera's internal Problem Report 9911. 8. Disclaimer Caldera Systems, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera OpenLinux. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6+QMs18sy83A/qfwRAv2BAJ4/Uac0hogyKlncvZ832JwB2yTbigCgrR/r 3vwBGOv4fq3tVPb1DliozW4= =DeuQ -----END PGP SIGNATURE-----