Original issue date: February 18, 1993
Last revised: September 19, 1997
Attached copyright statement
A complete revision history is at the end of this file. THIS IS A REVISED CERT ADVISORY
IT CONTAINS UPDATED INFORMATION
The CERT Coordination Center has received information concerning a vulnerability in the "finger" program of Commodore Business Machine's Amiga UNIX product. The vulnerability affects Commodore Amiga UNIX versions 1.1, 2.03, 2.1, 2.1p1, 2.1p2, and
2.1p2a. Commodore is aware of the vulnerability, and both a workaround and a patch are available. Affected sites should apply either the workaround or the patch, and directions are provided below.
The Commodore contact e-mail address given in CERT Advisory CA-93.04 was incorrect. This revised advisory provides the correct e-mail address. If you have any further questions, contact David Miller of Commodore via e-mail at email@example.com .
The "finger" command in Amiga UNIX contains a security vulnerability.
Non-privileged users can gain unauthorized access to files.
Commodore has suggested a workaround and a patch, as follows:
- Workaround As root, modify the permission of the existing /usr/bin/finger to prevent misuse.
# /bin/chmod 0755 /usr/bin/finger
As root, install the "pubsrc" package from the distribution tape.
In the file, "/usr/src/pub/cmd/finger/src/finger.c", add the line:
immediately before the line reading:
(Optionally) save a copy of the existing /usr/bin/finger and modify its permission to prevent misuse.
# /bin/mv /usr/bin/finger /usr/bin/finger.orig
# /bin/chmod 0755 /usr/bin/finger.orig
In the directory, "/usr/src/pub/cmd/finger", issue the command:
# cd /usr/src/pub/cmd/finger
# make install
Copyright 1993 Carnegie Mellon University.
September 19,1997 Attached Copyright Statement