I believe that a mailicious IMAP server can gain access to the local system (where Pine is running).
Agree that non-free sucks, but wanted to point the problem out since I'm sure a lot of folks are using our pine and pine-tracker packages. On Wed, Jan 18, 2006 at 02:04:53AM +0100, Santiago Vila wrote: > On Mon, 16 Jan 2006, Will Lowe wrote: > > > Package: pine > > Version: 4.62-1 > > Severity: grave > > Justification: user security hole > > > > http://www.washington.edu/pine/ says: > > > > Note: Install Pine 4.64, or later version, to fix a buffer overflow > > problem. Read iDEFENSE Security Advisory for full details. > > > > The advisory is here: > > > > http://www.idefense.com/intelligence/vulnerabilities/display.php?id=313 > > > > Pine appears to use the UW-IMAP client-side IMAP library, which has a > > bug that allows access to the system by the user running Pine. > > > > The version of Pine shipped in Sarge is 4.62 and I've seen no > > security-related release to address this issue. I realize that Pine > > is in non-free but we're leaving our users out to dry here ... > > How exactly this is dangerous in *pine*? (not in the IMAP server) > > You gain access to the system if you are running pine? That would be a normal > bug, IMHO, and therefore not the kind of bug that would deserve a report > of grave severity. > > In either case, non-free sucks, and pine sucks even more. Since we > don't distribute any .debs, apt-get upgrade will not magically fix > anything. If I had to deal with this, I would tell users just to use > the version in testing/unstable, which builds fine on stable, as > they would have to build the new version themselves anyway. > > I'm Cc:ing the security team for their opinion. -- Will -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
