LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

LWN.net Weekly Edition for February 2, 2012

A tempest in a toybox

LWN.net Weekly Edition for January 26, 2012

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

pine: remote exploits

Package(s):pine CVE #(s):CAN-2003-0720 CAN-2003-0721
Created:September 11, 2003 Updated:September 17, 2003
Description: Pine, developed at the University of Washington, is a tool for reading, sending, and managing electronic messages (including mail and news).

A buffer overflow exists in the way unpatched versions of Pine prior to 4.57 handle the 'message/external-body' type. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0720 to this issue.

An integer overflow exists in the Pine MIME header parsing in versions prior to 4.57. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0721 to this issue.

Both of these flaws could be exploited by a remote attacker sending a carefully crafted email to the victim that will execute arbitrary code when the email is opened using Pine.

Alerts:
Gentoo 200309-10 2003-09-16
Conectiva CLA-2003:738 2003-09-12
Slackware SSA:2003-253-01 2003-09-10
EnGarde ESA-20030911-022 2003-09-11
SuSE SuSE-SA:2003:037 2003-09-11
Red Hat RHSA-2003:273-01 2003-09-11
(Log in to post comments)

pine: remote exploits

Posted Sep 18, 2003 9:12 UTC (Thu) by vmlinuz (subscriber, #24) [Link]

Just for reference, there is no released Pine 4.57 - they skipped that completely and went to 4.58. I don't quite know why, but I'd guess that 4.57 was already under development, but not ready for release, so 4.58 is just 4.56 with the holes fixed...

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds