Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 78768 - Security issue in Pine 4.44 and older releases
Summary: Security issue in Pine 4.44 and older releases
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: pine
Version: 2.1
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Mike A. Harris
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2002-11-29 14:38 UTC by Mark J. Cox
Modified: 2007-11-30 22:06 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2003-01-12 02:53:58 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2002:271 high SHIPPED_LIVE Moderate: pine security update 2003-02-07 05:00:00 UTC

Description Mark J. Cox 2002-11-29 14:38:26 UTC
A security problem was found in versions of Pine prior to 4.50. Pine does
no allocate enough memory for the parsing and escaping of the "From"
header, allowing a carefully crafted email to cause a buffer overflow on
the heap that will make Pine crash. 

http://marc.theaimsgroup.com/?l=bugtraq&m=103668430620531&w=2

Comment 1 Mike A. Harris 2002-12-02 09:12:31 UTC
People reading this report may be a bit curious about the fix that Red Hat
and pretty much all other vendors are currently using, due to the timing
of things.

This bug was found prior to pine 4.50 being released, and the patch which
fixes pine 4.44 and earlier is what we have applied to pine 4.44 in order to
resolve this issue with minimal impact.

Some users have asked why Red Hat has not released a pine 4.50 update since
it also fixes this issue.  Since this is a security issue, what is most
important is that the specific security issue is fixed, and nothing else
is changed.  That provides Red Hat customers with a new bug fixed version
of the version of pine that they are already using, and it comes with no
surprises.

pine 4.50 is brand new, and as such may contain instabilities or other
new bugs due to it being a brand new release just released to the general
public, and not yet having widespread testing.

As such, releasing pine 4.50 instead of the bug fixed pine 4.44 could
cause a software regression, and that isn't an acceptable solution for
Red Hat's stable OS products.  We've chosen to fix the bug instead by
patching it, and providing a known stable package as an update.

Some users are curious about when Red Hat will release pine 4.50 for
the various Red Hat OS products.  pine 4.50 or some later version
will appear in a future Red Hat Linux product at some point, once
it is considered stable for inclusion and has had adequate beta
testing.  There are no plans for shipping a pine 4.50 enhancement
update for any Red Hat Linux products at this time, however over time
if the new version of pine proves itself to be as stable and reliable
as pine 4.44 is, then we may consider releasing an enhancement.  There
are currently no plans however to do so.

Comment 2 Mike A. Harris 2002-12-20 08:16:29 UTC
This problem has been fixed and in QA testing.  I've updated the bug
summary to be more accurate, and closing this as fixed in erratum, as
the new erratum should be released very soon.

Comment 3 Mark J. Cox 2002-12-20 08:20:57 UTC
This bug is used for tracking security issues in Advanced Server; reopening
until the errata ships (at which time the bug will be closed automatically)

Comment 4 Mike A. Harris 2003-01-12 02:53:58 UTC
Closed automatically by what?  ;o)

The erratum has been released already.


Note You need to log in before you can comment on or make changes to this bug.