-----BEGIN PGP SIGNED MESSAGE-----

Subject: Caldera Security Advisory SA-1998.22: Buffer overflow in pine

Topic: Buffer overflow in pine
Advisory issue date: 24-July-1998


I. Problem Description

	A remote overflow was found in pine.  It's so simple
	there's no need to describe it:

	From: Michal Zalewski <lcamtuf@AAAAAAAAAAAA ... lots of As... AA
	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>

	...and any attempt of reading this mail will cause:

	Program received signal SIGSEGV, Segmentation fault.
	0x41414141 in ?? ()


II. Impact

Description:

	It can be exploited to gain access to remote/local accounts.
	Fortunately, too long headers are destroyed by sendmail during
	prescan (maybe there's any way to split long line using
	encoding tricks).  E.g.:
	
	Jun 17 16:49:24 genome sendmail[689]: QAA00689: SYSERR(root): prescan:
	token too long

	But other mail daemons aren't so strict and the attack works.
				

Vulnerable Systems:

	OpenLinux 1.0, 1.1, & 1.2 systems using pine package prior to
	pine-4.00-1.
	

III. Solution

Correction:

        The proper solution is to upgrade to the pine-4.00-1 packages. 
	
        They can be found on Caldera's FTP site at:
	ftp://ftp.caldera.com/pub/OpenLinux/updates/1.2/010/RPMS

        The corresponding source code can be found at:
	ftp://ftp.caldera.com/pub/OpenLinux/updates/1.2/010/SRPMS

	The MD5 checksums (from the "md5sum" command) for these
	packages are:

	5a7c90a5c7e9fc4bf15add13bcd79d8f  RPMS/pine-4.00-1.i386.rpm
	05f2471a334bbb78cac1fdd0edd607c8  SRPMS/pine-4.00-1.src.rpm

        Upgrade with the following commands:

	rpm -q pine && rpm -U --nodeps pine-4.00-1.i386.rpm
	
	The nodeps switch is required to overcome the dependency
	requirement of a contributed script included in the pine
	documentation.


IV. References

        This and other Caldera security resources are located at:
	http://www.caldera.com/news/security/index.html

	Additional documentation on this problem can be found in the
	bugtraq mailing list:

	Message-ID: 
	<Pine.LNX.3.96.980617164950.707A-100000@ppp2-cst105.warszawa.tpnet.pl>
	Date: 	Wed, 17 Jun 1998 16:57:28 +0200
	Reply-To: Michal Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL>
	From: Michal Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL>
	Subject:      another remote pine vunerability
	To: BUGTRAQ@NETSPACE.ORG


        This security fix closes Caldera's internal Problem Report
	4024.


V. PGP Signature

	This message was signed with the PGP key for security@caldera.com.

	This key can be obtained from:
		ftp://ftp.caldera.com/pub/pgp-keys/

	Or on an OpenLinux CDROM under:
		/OpenLinux/pgp-keys/

	$Id: SA-1998.22.txt,v 1.3 1998/07/24 13:03:47 rf Exp $


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQCVAwUBNbiGM+n+9R4958LpAQGUngQAilF970VrPoORsOHm8CutUcYIzBHt4ReJ
EcQwD6r4IpcWLKxVVpEf0i5QDCzZD2oUbFKMU/OFAPZ7C4BfFP4ab8lQnfeyej8K
bRCIg5Gy8FZeCA1662stFJwoJwaMLRfmUxqD0nrG7nHZ9/9IQkJ/QbeWFIJ9BBkg
GyjJbVqAkb8=
=aFtg
-----END PGP SIGNATURE-----