![[LWN Logo]](/images/lcorner.png) |
|
![[LWN.net]](/images/Included.png) |
From: Caldera Support Information <sup-info@opus.caldera.com>
To: announce@lists.caldera.com, bugtraq@securityfocus.com,
linux-security@redhat.com, linuxlist@securityportal.com
Subject: Securty update: format string problems in minicom CSSA-2001-016.0
Date: Wed, 9 May 2001 11:55:35 -0600
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
Caldera Systems, Inc. Security Advisory
Subject: format string problems in minicom
Advisory number: CSSA-2001-016.0
Issue date: 2001 May, 9
Cross reference:
______________________________________________________________________________
1. Problem Description
There are several format string bugs in minicom, a
terminal emulator used for modem dialup. These bugs
can be exploited to obtain group uucp privilege.
In a posting to bugtraq, a claim was made that this can
be exploited to obtain root privilege. However, the attack
described in the posting does not work; at least it doesn't
on OpenLinux.
Users should nevertheless correct this problem as soon
as possible by upgrading to the fixed package and/or
by the included workaround.
2. Vulnerable Versions
System Package
-----------------------------------------------------------
OpenLinux 2.3 not vulnerable
OpenLinux eServer 2.3.1 not vulnerable
and OpenLinux eBuilder
OpenLinux eDesktop 2.4 All packages previous to
minicom-1.83.1-7D
3. Solution
Workaround
Either remove the setgid bit on minicom, or uninstall
the package completely.
To remove the setgid bit,
chmod -s /usr/bin/minicom
To uninstall the package:
rpm -e minicom
The proper solution is to upgrade to the latest packages.
4. OpenLinux 2.3
not vulnerable
5. OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0
not vulnerable
6. OpenLinux eDesktop 2.4
6.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/
The corresponding source code package can be found at:
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS
6.2 Verification
533798d8d673601b1dc5c17981a92452 RPMS/minicom-1.83.1-7D.i386.rpm
90d71f60fe08d19d998702269c78aa34 SRPMS/minicom-1.83.1-7D.src.rpm
6.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fvh minicom-*i386.rpm
The update package provided by Caldera removes the setgid
bit from the minicom binary and uses a helper program called
modem-envoy to open the device instead.
The helper program uses a file named /etc/modemaccess.conf to
decide whether a user is permitted to open a given device. The
default setting is to allow everyone to open /dev/modem, which
should be a symbolic link to the appropriate device file. That is,
if your modem is attached to /dev/ttyS0 (aka COM1), /dev/modem
should look like this:
# ls -l /dev/modem
lrwxrwxrwx 1 root root 10 May 15 2000 /dev/modem -> /dev/ttyS0
If the link doesn't exist, create it manually (as super user):
# ln -sf ttyS0 /dev/modem
7. References
This and other Caldera security resources are located at:
http://www.calderasystems.com/support/security/index.html
This security fix closes Caldera's internal Problem Report 9911.
8. Disclaimer
Caldera Systems, Inc. is not responsible for the misuse of any of the
information we provide on this website and/or through our security
advisories. Our advisories are a service to our customers intended to
promote secure installation and use of Caldera OpenLinux.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE6+QMs18sy83A/qfwRAv2BAJ4/Uac0hogyKlncvZ832JwB2yTbigCgrR/r
3vwBGOv4fq3tVPb1DliozW4=
=DeuQ
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: announce-unsubscribe@lists.caldera.com
For additional commands, e-mail: announce-help@lists.caldera.com