Bug 20701

Summary: minicom new security issue CVE-2017-7467
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, deri, lists.jjorge, mageia, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: advisory MGA5-64-OK MGA5-32-OK
Source RPM: minicom-2.7-4.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-04-19 02:03:48 CEST 
Upstream has issued an advisory today (April 18):
http://openwall.com/lists/oss-security/2017/04/18/5

The issue is fixed in 2.7.1.

Mageia 5 is also affected.
David Walser 2017-04-19 02:03:58 CEST

Whiteboard: (none) => MGA5TOO

Nicolas Lécureuil 2017-04-22 21:34:13 CEST

Whiteboard: MGA5TOO => (none)
Version: Cauldron => 5
CC: (none) => mageia

Comment 1 Nicolas Lécureuil 2017-04-22 21:35:41 CEST 
pushed in updates_testing

src.rpm:  minicom-2.7.1-1.mga5

Assignee: cooker => qa-bugs

Comment 2 David Walser 2017-04-22 22:43:49 CEST 
Advisory:
========================

Updated minicom package fixes security vulnerability:

In minicom before version 2.7.1, the escparms[] buffer in vt100.c is vulnerable
to an overflow that may allow for remote code execution (CVE-2017-7467).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7467
http://openwall.com/lists/oss-security/2017/04/18/5
========================

Updated packages in core/updates_testing:
========================
minicom-2.7.1-1.mga5

from minicom-2.7.1-1.mga5.src.rpm
Dave Hodgins 2017-04-24 02:30:08 CEST

Whiteboard: (none) => advisory
CC: (none) => davidwhodgins

Comment 3 Deri James 2017-04-24 11:42:48 CEST 
Tested on 64bit Mag 5, using FTDI link to Cubibox I4, seems to work:-

======================================================================

[derij@pip ~]$ minicom 

Welcome to minicom 2.7.1

OPTIONS: I18n 
Compiled on Apr 22 2017, 19:35:58.
Port /dev/ttyUSB0

Press CTRL-A Z for help on special keys


Debian GNU/Linux stretch/sid ws ttymxc0

ws login: 
Debian GNU/Linux stretch/sid ws ttymxc0

ws login: root
Password: 
Last login: Sat Mar 11 20:51:22 GMT 2017 on ttymxc0
Linux ws 3.14.14-cubox-i #2 SMP Wed Mar 11 13:01:02 CET 2015 armv7l
  ____      _                 _ ____     __  __    ___ _  _   
 / ___|   _| |__   _____  __ (_)___ \ ___\ \/ /   / (_) || |  
| |  | | | | '_ \ / _ \ \/ / | | __) / _ \\  /   / /| | || |_ 
| |__| |_| | |_) | (_) >  <  | |/ __/  __//  \  / / | |__   _|
 \____\__,_|_.__/ \___/_/\_\ |_|_____\___/_/\_\/_/  |_|  |_|  
                                                              

Welcome to ARMBIAN Debian GNU/Linux stretch/sid 3.14.14-cubox-i 
System load:   0.11             Up time:       23 days
Memory usage:  18 % of 2015Mb   Swap usage:    13 % of 512Mb    IP:            192.168.0.251
HDD temp:      37�°C           
Usage of /:    54% of 7.4G   


[ 4 updates to install: apt-get upgrade ]


Load: 0.26, 0.09, 0.06 - Drive: 37�°C - Memory: 1649Mb

===================================================================

CC: (none) => deri

Comment 4 José Jorge 2017-05-03 09:47:59 CEST 
Tested on i586, connecting to a Cisco device. All Ok.

Status: NEW => ASSIGNED
CC: (none) => lists.jjorge
Whiteboard: advisory => advisory MGA5-64-OK MGA5-32-OK

Comment 5 Dave Hodgins 2017-05-03 23:14:28 CEST 
Thanks for the testing. Validating the update.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2017-05-04 00:24:25 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0128.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED