This is to announce a vulnerability that has just been fixed in minicom
2.7.1 released earlier today, and that had been found and fixed in
derived code in prl-vzvncserver (a Virtuozzo 7 component) earlier this
year. minicom 2.7.1 is available for download at:
At least in the Fedora 23 package of minicom, this lets me adjust or
replace the termout function pointer. If the variables were put in .bss
in the other order (perhaps by a different compiler), then ptr could be
overwritten, which is likely also exploitable.
As you can see, I am able to control the address to branch to. Moreover,
on typical 64-bit little-endian there's partial ASLR (PIE) bypass due to
ability to keep most significant 32 bits of the function pointer intact.
Thus, this bug likely allows for remote code execution.
This is a new 2.7.1 available at:
Arches, please stabilize
Stable for HPPA.
Stable on alpha.
Remaining arches are not part of security supported architectures, please stabilize when you have a chance.
New GLSA Request filed.
Maintainer(s), please drop the vulnerable version(s).
This issue was resolved and addressed in
GLSA 201706-13 at https://security.gentoo.org/glsa/201706-13
by GLSA coordinator Kristian Fiskerstrand (K_F).
Author: Tim Harder <firstname.lastname@example.org>
Date: Thu Oct 12 00:40:27 2017 -0500
net-dialup/minicom: stabilize 2.7.1