COMMAND

    runpipe

SYSTEMS AFFECTED

    linux

PROBLEM

    Christopher Neufeld <neufeld@physics.utoronto.ca> posted  about
    following vulnerability.

    Runpipe  is  a  daemon/client  pair  which  watches a set of named
    pipes for a read  or write action on  a pipe, and then  executes a
    program on the other end of the pipe. It is most commonly used  to
    run a program on the other end  of the .plan pipe, so that when  a
    person fingers the  account, the .plan  "file" appears to  contain
    the output of  the program. This  can be used  to make plan  files
    which change  whenever they're  read, or  which deliver  different
    messages depending  on other  information such  as time  of day or
    whether or not the user is logged on.

SOLUTION

    New release fixes a potentially serious security bug in the daemon
    when  run  in  system  mode,  and a potentially annoying behaviour
    when run in  paranoid mode. It  is strongly recommend  that nobody
    who runs the daemon in system mode run it with a version prior  to
    1.2.

    The latest version of runpipe is available now from following  FTP
    sites:

        caliban.physics.utoronto.ca/pub/linux/
        sunsite.unc.edu/pub/Linux/system/daemons