View Source

Original issue date: February 18, 1993<BR>
Last revised: September 19, 1997<BR>
Attached copyright statement

<P>A complete revision history is at the end of this file.

<B>THIS IS A REVISED CERT ADVISORY<BR>
IT CONTAINS UPDATED INFORMATION</B>

<P>The CERT Coordination Center has received information concerning a
vulnerability in the &quot;finger&quot; program of Commodore Business
Machine's Amiga UNIX product.  The vulnerability affects Commodore
Amiga UNIX versions 1.1, 2.03, 2.1, 2.1p1, 2.1p2, and 2.1p2a.
Commodore is aware of the vulnerability, and both a workaround and a
patch are available.  Affected sites should apply either the
workaround or the patch, and directions are provided below.

<P>The Commodore contact e-mail address given in CERT Advisory
CA-93.04 was incorrect.  This revised advisory provides the correct
e-mail address.  If you have any further questions, contact David
Miller of Commodore via e-mail at
<A HREF=mailto:davidm@commodore.com>davidm@commodore.com</A> .

<P><HR>

<P>
<H2>I. Description</H2>

<P>The &quot;finger&quot; command in Amiga UNIX contains a security
vulnerability.

<P>
<H2>II. Impact</H2>

<P>Non-privileged users can gain unauthorized access to files.

<P>
<H2>III.  Solution</H2>

<P>Commodore has suggested a workaround and a patch, as follows:

<P>
<OL>
<H3><LI TYPE = "A">Workaround</H3>
As root, modify the permission of the existing /usr/bin/finger
to prevent misuse.

<P>
<PRE>
     # /bin/chmod 0755 /usr/bin/finger
</PRE>

<P>
<H3><LI>Patch</H3>

<P>As root, install the &quot;pubsrc&quot; package from the distribution tape. 

<P>In the file, &quot;/usr/src/pub/cmd/finger/src/finger.c&quot;, add the line:

<P><PRE>
     setuid(getuid());
</PRE>

<P>immediately before the line reading:

<P><PRE>
     display_finger(finger_list);
</PRE>

<P>(Optionally) save a copy of the existing /usr/bin/finger and modify
its permission to prevent misuse.

<P><PRE>
     # /bin/mv /usr/bin/finger /usr/bin/finger.orig
     # /bin/chmod 0755 /usr/bin/finger.orig
</PRE>

<P>In the directory, &quot;/usr/src/pub/cmd/finger&quot;, issue the command:

<P><PRE>
     # cd /usr/src/pub/cmd/finger
     # make install
</PRE>

<P>
</OL>
<HR>

<P>The CERT Coordination Center wishes to thank Commodore Business
Machines for their response to this problem.

<!--#include virtual="/include/footer_nocopyright.html" -->
<P>Copyright 1993 Carnegie Mellon University.</P>

<HR>

Revision History
<PRE>
September 19,1997 Attached Copyright Statement 
</PRE>