108 lines
3.6 KiB
Plaintext
108 lines
3.6 KiB
Plaintext
|
|
-----BEGIN PGP SIGNED MESSAGE-----
|
|
|
|
===========================================================================
|
|
CA-93:04a CERT Advisory
|
|
February 18, 1993
|
|
REVISION NOTICE: Commodore Amiga UNIX finger Vulnerability
|
|
|
|
- ---------------------------------------------------------------------------
|
|
|
|
*** THIS IS A REVISED CERT ADVISORY ***
|
|
*** IT CONTAINS UPDATED INFORMATION ***
|
|
|
|
The CERT Coordination Center has received information concerning a
|
|
vulnerability in the "finger" program of Commodore Business Machine's
|
|
Amiga UNIX product. The vulnerability affects Commodore Amiga UNIX
|
|
versions 1.1, 2.03, 2.1, 2.1p1, 2.1p2, and 2.1p2a. Commodore is aware
|
|
of the vulnerability, and both a workaround and a patch are available.
|
|
Affected sites should apply either the workaround or the patch, and
|
|
directions are provided below.
|
|
|
|
The Commodore contact e-mail address given in CERT Advisory CA-93:04
|
|
was incorrect. This revised advisory provides the correct e-mail
|
|
address. If you have any further questions, contact David Miller of
|
|
Commodore via e-mail at davidm@commodore.com.
|
|
|
|
- ---------------------------------------------------------------------------
|
|
|
|
I. Description
|
|
|
|
The "finger" command in Amiga UNIX contains a security
|
|
vulnerability.
|
|
|
|
|
|
II. Impact
|
|
|
|
Non-privileged users can gain unauthorized access to files.
|
|
|
|
|
|
III. Solution
|
|
|
|
Commodore has suggested a workaround and a patch, as follows:
|
|
|
|
A. Workaround
|
|
|
|
As root, modify the permission of the existing /usr/bin/finger
|
|
to prevent misuse.
|
|
|
|
# /bin/chmod 0755 /usr/bin/finger
|
|
|
|
B. Patch
|
|
|
|
As root, install the "pubsrc" package from the distribution tape.
|
|
|
|
In the file, "/usr/src/pub/cmd/finger/src/finger.c", add the line:
|
|
|
|
setuid(getuid());
|
|
|
|
immediately before the line reading:
|
|
|
|
display_finger(finger_list);
|
|
|
|
(Optionally) save a copy of the existing /usr/bin/finger and modify
|
|
its permission to prevent misuse.
|
|
|
|
# /bin/mv /usr/bin/finger /usr/bin/finger.orig
|
|
# /bin/chmod 0755 /usr/bin/finger.orig
|
|
|
|
In the directory, "/usr/src/pub/cmd/finger", issue the command:
|
|
|
|
# cd /usr/src/pub/cmd/finger
|
|
# make install
|
|
|
|
- ------------------------------------------------------------------------------
|
|
The CERT Coordination Center wishes to thank Commodore Business
|
|
Machines for their response to this problem.
|
|
- ------------------------------------------------------------------------------
|
|
|
|
If you believe that your system has been compromised, contact the CERT
|
|
Coordination Center or your representative in FIRST (Forum of Incident
|
|
Response and Security Teams).
|
|
|
|
Internet E-mail: cert@cert.org
|
|
Telephone: 412-268-7090 (24-hour hotline)
|
|
CERT personnel answer 7:30 a.m.-6:00 p.m. EST(GMT-5)/EDT(GMT-4),
|
|
on call for emergencies during other hours.
|
|
|
|
CERT Coordination Center
|
|
Software Engineering Institute
|
|
Carnegie Mellon University
|
|
Pittsburgh, PA 15213-3890
|
|
|
|
Past advisories, information about FIRST representatives, and other
|
|
information related to computer security are available for anonymous FTP
|
|
from cert.org (192.88.209.5).
|
|
|
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: 2.6.2
|
|
|
|
iQCVAwUBMaMxI3VP+x0t4w7BAQFhUAP/VUG9htXQq0Odl6pAheUVfNFtAOT6ywdb
|
|
mV88uhz3olhWRRIw7fiUgtWKRphs66SajufMyekHEJc3hydopdffwEH0f7HBU0JY
|
|
QDg1wB/2J7LkrHXON4Qbv08MjTsvoorsOOzd/H0a4HPgmG1C+IfL0I/kW9IkjYFv
|
|
l9snJaWOvWQ=
|
|
=HKdP
|
|
-----END PGP SIGNATURE-----
|
|
|