[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] bugs in pine allow execution of arbitrary code

To: linux-security
Subject: [linux-security] bugs in pine allow execution of arbitrary code
From: Martin Siegert <siegert@sfu.ca>
Date: Wed, 16 Jan 2002 14:25:07 -0800
User-Agent: Mutt/1.2.5.1i

Topic
=====
pine's URL parsing code contains a bug that may allow execution of
arbitrary code

Problem Description
===================
pine contains a bug in the treatment of quotes in the URL-handling code.
The bug allows a malicious sender to embed commands in a URL.
Example: A URL constructed as:

   http://www.somewhere.com/'&touch${IFS}/tmp/foo${IFS}/tmp/bar'

would cause the files /tmp/foo and /tmp/bar to be created on the
user's machine if the URL is viewed.
Now just consider what would happen, if "touch" is replaced by "rm",
"/tmp/foo" by "-rf" and "/tmp/bar" by "~" ...

Affected Systems
================
All versions of pine < 4.44.

Workaround (recommended)
====================================
Uninstall pine, use elm or mutt. If you "must" use pine at least set the
option 
feature-list=no-enable-msg-view-urls
which will prevent viewing of URLs. Bugs have been found in pine's URL
code before and it is unlikely that this will be the last.

Solution (if you want to keep pine)
===================================

RedHat 6.x
----------
rpm -Fvh pine-4.44-1.62.0.i386.rpm

RedHat 7.0
----------
rpm -Fvh pine-4.44-1.70.0.i386.rpm

RedHat 7.1
----------
rpm -Fvh pine-4.44-1.71.0.i386.rpm

RedHat 7.2
----------
rpm -Fvh pine-4.44-1.72.0.i386.rpm

Prev by Date: [linux-security] local root exploit in sudo
Next by Date: [linux-security] groff vulnerability
Prev by thread: [linux-security] groff vulnerability
Next by thread: [linux-security] local root exploit in sudo
Index(es):
- Date
- Thread