Date: Fri, 29 Mar 2024 10:41:36 -0400 (EDT) Message-ID: <312467914.45.1711723296131@windcrest.sei.cmu.edu> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_44_928692173.1711723296129" ------=_Part_44_928692173.1711723296129 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
A complete revision history is at the end of this file. THIS IS A REV=
ISED CERT ADVISORY
IT CONTAINS UPDATED INFORMATION
The CERT Coordination Center has received information concerning a vulne= rability in the "finger" program of Commodore Business Machine's Amiga UNIX= product. The vulnerability affects Commodore Amiga UNIX versions 1.1, 2.03= , 2.1, 2.1p1, 2.1p2, and 2.1p2a. Commodore is aware of the vulnerability, a= nd both a workaround and a patch are available. Affected sites should apply= either the workaround or the patch, and directions are provided below.
The Commodore contact e-mail address given in CERT Advisory CA-93.04 was= incorrect. This revised advisory provides the correct e-mail address. If y= ou have any further questions, contact David Miller of Commodore via e-mail= at davidm@commodore.com .
The "finger" command in Amiga UNIX contains a security vulnerability.
Non-privileged users can gain unauthorized access to files.
Commodore has suggested a workaround and a patch, as follows:
# /bin/chmod 0755 /usr/bin/finger
As root, install the "pubsrc" package from the distribution tape.
In the file, "/usr/src/pub/cmd/finger/src/finger.c", add the line:
setuid(getuid());
immediately before the line reading:
display_finger(finger_list);
(Optionally) save a copy of the existing /usr/bin/finger and modify its = permission to prevent misuse.
# /bin/mv /usr/bin/finger /usr/bin/finger.orig # /bin/chmod 0755 /usr/bin/finger.orig
In the directory, "/usr/src/pub/cmd/finger", issue the command:
# cd /usr/src/pub/cmd/finger # make install
The CERT Coordination Center wishes to thank Commodore Business Machines= for their response to this problem.
Copyright 1993 Carnegie Mellon University.
September 19,1997 Attached Copyright Statement=20