Bug#348407: pine: security hole in imap support

Tue, 17 Jan 2006 18:03:34 -0800 

This one time, at band camp, Santiago Vila said:
> On Mon, 16 Jan 2006, Will Lowe wrote:
> 
> > Package: pine
> > Version: 4.62-1
> > Severity: grave
> > Justification: user security hole
> > 
> > http://www.washington.edu/pine/ says:
> > 
> > Note: Install Pine 4.64, or later version, to fix a buffer overflow
> > problem. Read iDEFENSE Security Advisory for full details.
> > 
> > The advisory is here:
> > 
> > http://www.idefense.com/intelligence/vulnerabilities/display.php?id=313
> > 
> > Pine appears to use the UW-IMAP client-side IMAP library, which has a
> > bug that allows access to the system by the user running Pine.
> > 
> > The version of Pine shipped in Sarge is 4.62 and I've seen no
> > security-related release to address this issue.  I realize that Pine
> > is in non-free but we're leaving our users out to dry here ...
> 
> How exactly this is dangerous in *pine*? (not in the IMAP server)
> 
> You gain access to the system if you are running pine? That would be a normal
> bug, IMHO, and therefore not the kind of bug that would deserve a report
> of grave severity.
> 
> In either case, non-free sucks, and pine sucks even more. Since we
> don't distribute any .debs, apt-get upgrade will not magically fix
> anything. If I had to deal with this, I would tell users just to use
> the version in testing/unstable, which builds fine on stable, as
> they would have to build the new version themselves anyway.
> 
> I'm Cc:ing the security team for their opinion.

It appears to me that the c-client library has a potential flaw allowing
them to cause a buffer overflow and run code as the uid of the running
program.  For uw-imapd, this is probably an issue (I don't know if it
has laready dropped privileges to the user at this point or if it is
still root).  

For pine, this means that you you get to run arbitrary code as, um, you.

Not seeing much to be worried about for pine, really, unless I'm missing
something.  Is pine suid or sgid?
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        [EMAIL PROTECTED] |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------

Attachment: signature.asc
Description: Digital signature

Reply via email to