Malcolm Scott discovered a remote-exploitable buffer overflow in the RFC1413 (ident) client of cfingerd, a configurable finger daemon. This vulnerability was introduced in a previously applied patch to the cfingerd package in 1.4.3-3.

For the stable distribution (squeeze), this problem has been fixed in version 1.4.3-3+squeeze1. For the testing distribution (wheezy), this problem has been fixed in version 1.4.3-3.1. For the unstable distribution (sid), this problem has been fixed in version 1.4.3-3.1. We recommend that you upgrade your cfingerd packages.

This is a free replacement for standard finger daemons such as GNU fingerd and MIT fingerd. Cfingerd can enable/disable finger services to individual users, rather than to all users on a given host. It is able to respond to a finger request to a specified user by running a shell script (e.g., finger doorbell@mysite.mydomain might cause a sound file to be sent) rather than just a plain text file.

cfingerd on Debian Linux

This check tests the installed software version using the apt package manager.

• http://www.debian.org/security/2013/dsa-2635.html

---

Updated on 2015-03-25