COMMAND

    minicom

SYSTEMS AFFECTED

    Systems running Minicom 1.80.1 (Slackware 3.5 and others)

PROBLEM

    Eduardo Navarro found following buffer overflows in Minicom 1.80.1
    which comes  setuid root  with Slackware  3.5.   At least, you can
    overflow the stack using $HOME  and $TERM and using large  strings
    with one of  the following flags:  -o, -m, -l,  -z and -t  because
    there are many strcpy and sprintf:

        ~/minicom/minicom-1.80/src$ grep strcpy * | wc -l
        67
        ~/minicom/minicom-1.80/src$ grep sprintf * | wc -l
        40

    If you look at sources, you can see:

          strcpy(termtype, getenv("TERM") ? getenv("TERM") : "dumb");

    or

                case 't': /* Terminal type */
                        strcpy(termtype, optarg);

    or

                       sprintf(pseudo, "/dev/%s", optarg);

    or

        sprintf(parfile, "%s/minirc.%s", LIBDIR, use_port);

    or

        /* Remember home directory and username. */
        if ((s = getenv("HOME")) == CNULL)
              strcpy(homedir, pwd->pw_dir);
        else
              strcpy(homedir, s);
        strcpy(username, pwd->pw_name);

        /* Get personal parameter file */
        sprintf(pparfile, "%s/.minirc.%s", homedir, use_port);

    ............................ and  many more.   Same goes  for 1.75
    under RedHat 5.0 and Debian 1.3.1.

SOLUTION

    Update to version 1.81.1 or  1.82.beta*  Another workaround is  to
    create a  minicom group  and only  allow trusted  users to use the
    program.  The updated package is available here:

        ftp://ftp.cdrom.com/pub/linux/slackware-3.5/a6/minicom.tgz