Package: efingerd Version: 1.6.2.7+nmu1 Severity: important Dear Maintainer,
I'm afraid the default scripts in /etc/efingerd has a security weakness. They use $2 (the client IP address or host name) without escaping it. Since the efingerd package runs by default *without* the -n option, $2 will be a host name controlled by the client. If the name returned by the DNS PTR query is something like: foobar" ; do_something_evil bad things can happen. -- System Information: Debian Release: 7.1 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 3.2.50-xenU-8149-i386 (SMP w/1 CPU core) Locale: LANG=C, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages efingerd depends on: ii adduser 3.113+nmu3 ii debconf [debconf-2.0] 1.5.49 ii libc6 2.13-38 ii libident 0.22-3 ii netbase 5.0 ii update-inetd 4.43 efingerd recommends no packages. Versions of packages efingerd suggests: ii finger 0.17-15 -- Configuration Files: /etc/efingerd/list changed [not included] /etc/efingerd/log changed [not included] /etc/efingerd/luser changed [not included] /etc/efingerd/nouser changed [not included] -- debconf information: efingerd/allow_files: true efingerd/show_names: true -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org