Debian Security Advisory
cfingerd -- root exploit in cfingerd
- Date Reported:
- 14 Aug 1999
- Affected Packages:
- cfingerd
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-1999-0813.
- More information:
-
A serious bug in cfingerd before version 1.4.0 has been
reported. It is present in all versions of cfingerd from 1.2.0 up to any
version of 1.3.2. If configured accordingly this bug enables any local user to
execute arbitrary programs with root privileges.
You are safe if you have disabled ALLOW_EXECUTION in your cfingerd.conf file in section "internal_config", i.e. that file contains a line "-ALLOW_EXECUTION"
This is the default configuration of this package. If you use the default cfingerd.conf file as shipped with the distribution you are safe. You should still upgrade.
All versions of cfingerd from 1.2.0, prior to 1.4.0 were vulnerable to this exploit. The fix from 1.4.0 has been added to cfingerd 1.3.2-18.1 for slink, which is available at the location below.
More information about this bug can be found at PacketStorm - cfingerd.txt
N.B.: Fixed packages are available below for Debian 2.1 (slink). cfingerd 1.4.0 is included in Debian 2.2 (potato).
- Fixed in:
-
- alpha:
- http://security.debian.org/dists/stable/updates/binary-alpha/cfingerd_1.3.2-18.1_alpha.deb
- i386:
- http://security.debian.org/dists/stable/updates/binary-i386/cfingerd_1.3.2-18.1_i386.deb
- m68k:
- http://security.debian.org/dists/stable/updates/binary-m68k/cfingerd_1.3.2-18.1_m68k.deb
- sparc:
- http://security.debian.org/dists/stable/updates/binary-sparc/cfingerd_1.3.2-18.1_sparc.deb