COMMAND

    cfingerd

SYSTEMS AFFECTED

    Those running cfingerd 1.3.2

PROBLEM

    Salvatore Sanfilippo found  following.  There  is a remote  buffer
    over flow in cfingerd 1.3.2 in search_fake():

    int search_fake(char *username)
    {
        char parsed[80];

        bzero(parsed, 80);
        sscanf(username, "%[^.].%*[^\r\n]\r\n", parsed);
    ...

    called from process_username(), that is called from main:

int main(int argc, char *argv[])
    {
        char username[100], syslog_str[200];
    ...

        if (!emulated) {
            if (!fgets(username, sizeof(username), stdin)) {

    ...
        /* Check the finger information coming in and return its type */
        un_type = process_username(username);

    see parsed[80] and username[100].  Anyway search_illegal() is
    called before than search_fake() so only [A-z0-9] and many other
    char can be used in oreder to execute arbitrary code.  Debian is
    not vulnerable because a patch fix this and other cfingerd
    weakness.

SOLUTION

    An easy and quick Patch for cfingerd 1.3.2. if you really need to
    run finger:

        [root@dt065n87 src]# diff parse.old parse.c
        78c78
        <     char parsed[80];
        ---
        >     char parsed[100];
        80c80
        <     bzero(parsed, 80);
        ---
        >     bzero(parsed, 100);

    Please find the new version of cfingerd at:

        ftp://ftp.infodrom.north.de/pub/people/joey/cfingerd/

    A general homepage has been created at

        http://www.Infodrom.North.DE/cfingerd/