[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] more pine bugs

To: linux-security
Subject: [linux-security] more pine bugs
From: Martin Siegert <siegert@sfu.ca>
Date: Tue, 8 May 2001 10:18:47 -0700
User-Agent: Mutt/1.2.5i

Topic
=====
insecure creation of temporary files may allow compromise of system files.

Problem Description
===================
Versions of the Pine email client prior to 4.33 have various temporary
file creation problems, as does the pico editor.  These issues allow
any user with local system access to cause any files owned by any
other user, including root, to potentially be overwritten if the
conditions were right.

Additional comment from the FreeBSD advisory on pine:
"Administrators should note that the Pine software has been a frequent
 source of past security holes, and makes extensive use of string
 routines commonly associated with security vulnerabilities.  The
 FreeBSD Security Officer believes it is likely that further
 vulnerabilities exist in this software, and recommends the use of
 alternative mail software in environments where electronic mail may be
 received from untrusted sources."

Affected Systems
================
All unix systems that have pine/pico with versions < 4.33 installed.

Not Affected
============
RedHat 7.1

Workaround (recommended, see above!)
====================================
Uninstall pine, use elm or mutt.

Solution
========
upgrade to pine-4.33

RedHat 6.x
rpm -Fvh pine-4.33-6.6x.i386.rpm

RedHat 7.0
rpm -Fvh pine-4.33-7.i386.rpm

Mandrake 7.1
rpm -Fvh pine-4.33-1.2mdk.i586.rpm

Mandrake 7.2, 8.0
rpm -Fvh pine-4.33-1.1mdk.i586.rpm

Prev by Date: [linux-security] cfingerd remote root exploit
Next by Date: [linux-security] man bugs
Prev by thread: [linux-security] man bugs
Next by thread: [linux-security] cfingerd remote root exploit
Index(es):
- Date
- Thread