Debian Security Advisory

cfingerd -- root exploit in cfingerd

Date Reported:
14 Aug 1999
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-1999-0813.
More information:
A serious bug in cfingerd before version 1.4.0 has been reported. It is present in all versions of cfingerd from 1.2.0 up to any version of 1.3.2. If configured accordingly this bug enables any local user to execute arbitrary programs with root privileges.

You are safe if you have disabled ALLOW_EXECUTION in your cfingerd.conf file in section "internal_config", i.e. that file contains a line "-ALLOW_EXECUTION"

This is the default configuration of this package. If you use the default cfingerd.conf file as shipped with the distribution you are safe. You should still upgrade.

All versions of cfingerd from 1.2.0, prior to 1.4.0 were vulnerable to this exploit. The fix from 1.4.0 has been added to cfingerd 1.3.2-18.1 for slink, which is available at the location below.

More information about this bug can be found at PacketStorm - cfingerd.txt

N.B.: Fixed packages are available below for Debian 2.1 (slink). cfingerd 1.4.0 is included in Debian 2.2 (potato).

Fixed in: