Pine 4.58 was released 2003-09-10 to fix this vulnerability. See:
http://www.idefense.com/advisory/09.10.03.txt
http://www.washington.edu/pine/changes.html
"
PINE contains two exploitable vulnerabilities that can be triggered
when a victim opens a specially crafted email sent by an attacker.
....
Vulnerability 1: Buffer Overflow
....
Vulnerability 2: Integer Overflow
....
III. ANALYSIS
If an attacker were to socially engineer a PINE user into opening a
malformed e-mail message, arbitrary code embedded within can then run
with privileges of the currently logged on user. It would be trivial
for this exploit to be fashioned into a worm, targeting e-mail
addresses found in any readable text files (inbox, etc.).
IV. DETECTION
PINE 4.56 and earlier is vulnerable.
....
VII. DISCLOSURE TIMELINE
15 AUG 2003 Issues acquired by iDEFENSE
25 AUG 2003 Issues disclosed to
(E-Mail Removed)
25 AUG 2003 Response from Mark Crispin, University of Washington
26 AUG 2003 Issues disclosed to iDEFENSE clients
04 SEP 2003 Issues disclosed to Linux vendors:
vendor-(E-Mail Removed)
10 SEP 2003 Coordinated Public Disclosure
VIII. CREDIT
zen-parse (zen-(E-Mail Removed)) discovered these vulnerabilities.
"
Similar Threads
Linear Mode
