Santiago Vila wrote:
> How exactly this is dangerous in *pine*? (not in the IMAP server)
The problem is that we have another case of an embedded code copy,
something we should get rid of for Etch for as many packages as
possible.
> You gain access to the system if you are running pine? That would be a normal
> bug, IMHO, and therefore not the kind of bug that would deserve a report
> of grave severity.
>
> In either case, non-free sucks, and pine sucks even more. Since we
> don't distribute any .debs, apt-get upgrade will not magically fix
> anything. If I had to deal with this, I would tell users just to use
> the version in testing/unstable, which builds fine on stable, as
> they would have to build the new version themselves anyway.
>
> I'm Cc:ing the security team for their opinion.
pine embeds a copy of some general purpose code of uw-imap. The function
mail_valid_net_parse_work(), which may trigger the overflow, is used in
the normal pine source, so the buffer overflow may very well be exploitable
with crafted mails, I haven't checked that in detail and frankly I'm not
interested in non-free to spend further time on this.
In case someone wants to provide an update here's the relevant change from
the 4.63->4.64 interdiff:
diff -Naur pine4.63/imap/src/c-client/mail.c pine4.64/imap/src/c-client/mail.c
--- pine4.63/imap/src/c-client/mail.c 2005-03-17 01:12:17.000000000 +0100
+++ pine4.64/imap/src/c-client/mail.c 2005-09-15 18:57:31.000000000 +0200
@@ -10,7 +10,7 @@
* Internet: [EMAIL PROTECTED]
*
* Date: 22 November 1989
- * Last Edited: 15 March 2005
+ * Last Edited: 15 September 2005
*
* The IMAP toolkit provided in this Distribution is
* Copyright 1988-2005 University of Washington.
@@ -691,8 +691,10 @@
if (c == '=') { /* parse switches which take arguments */
if (*t == '"') { /* quoted string? */
for (v = arg,i = 0,++t; (c = *t++) != '"';) {
+ if (!c) return NIL; /* unterminated string */
/* quote next character */
if (c == '\\') c = *t++;
+ if (!c) return NIL; /* can't quote NUL either */
arg[i++] = c;
}
c = *t++; /* remember delimiter for later */
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
