COMMAND

    GNU in.fingerd(8) 1.37

SYSTEMS AFFECTED

    Systems running GNU in.fingerd(8) 1.37.

PROBLEM

    There is a bug in  the `lib/site/userinfo.c' module of GNU  finger
    version 1.37 allowing  any user on  a system to  execute arbitrary
    commands with gid root from  ~/.fingerrc. The problem is that  GNU
    finger  *first*  changes   its  userid  thus   giving  away   root
    privileges  and  *then*  tries  to  change  its gid which will not
    succeed.

SOLUTION

    Upgrade or apply this patch:

    *** userinfo.c.orig     Fri Mar 17 12:12:28 1995
    --- userinfo.c  Fri Mar 17 12:12:37 1995
    ***************
    *** 241,262 ****
                  dup (fileno (*streamp));
                }

              if (fileno (*streamp) != 2)
                {
                  close (2);
                  dup (fileno (*streamp));
                }

              /* Set uid/gid */
    -         setuid (user->pw_uid);
              setgid (user->pw_gid);

              /* Set default directory */
              chdir (user->pw_dir);

              /* Run ~/.fingerrc through user shell */
      #ifdef FINGERRC_SHELL
              execlp (FINGERRC_SHELL, FINGERRC_SHELL, "-c", file, NULL);
      #else
              execlp (user->pw_shell, user->pw_shell, "-c", file, NULL);
      #endif
    --- 241,262 ----
                  dup (fileno (*streamp));
                }

              if (fileno (*streamp) != 2)
                {
                  close (2);
                  dup (fileno (*streamp));
                }

              /* Set uid/gid */
              setgid (user->pw_gid);
    +         setuid (user->pw_uid);

              /* Set default directory */
              chdir (user->pw_dir);

              /* Run ~/.fingerrc through user shell */
      #ifdef FINGERRC_SHELL
              execlp (FINGERRC_SHELL, FINGERRC_SHELL, "-c", file, NULL);
      #else
              execlp (user->pw_shell, user->pw_shell, "-c", file, NULL);
      #endif