From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <gentoo-announce-return-155-arch-gentoo-announce=gentoo.org@gentoo.org>
Received: (qmail 30909 invoked by uid 1002); 16 Sep 2003 07:39:24 -0000
Mailing-List: contact gentoo-announce-help@gentoo.org; run by ezmlm
Precedence: bulk
List-Post: <mailto:gentoo-announce@gentoo.org>
List-Help: <mailto:gentoo-announce-help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-announce-unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-announce-subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-announce.gentoo.org>
X-BeenThere: gentoo-announce@gentoo.org
Received: (qmail 12786 invoked from network); 16 Sep 2003 07:08:32 -0000
From: Seemant Kulleen <seemant@gentoo.org>
To: gentoo-announce@gentoo.org
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-pScR4y/r+wpGtLExYfdL"
Organization: Gentoo Linux
Message-Id: <1063696052.10345.60.camel@localhost>
Mime-Version: 1.0
X-Mailer: Ximian Evolution 1.4.4
Date: Tue, 16 Sep 2003 00:07:32 -0700
Subject: [gentoo-announce] GLSA 200309-10: Pine
X-Archives-Salt: 3c6251fe-e738-47ec-917c-9d23b86e1d47
X-Archives-Hash: 6ba3847c05682c96dfee07f93040a255
--=-pScR4y/r+wpGtLExYfdL
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
-
---------------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200309-10
-
---------------------------------------------------------------------------
PACKAGE : net-mail/pine
SUMMARY : buffer overflow, integer overflow
DATE : 2003-09-16 05:58 UTC
EXPLOIT : remote
VERSIONS AFFECTED : <pine-4.58
FIXED VERSION : >=3Dpine-4.58 >=3Dpine-4.58-r1(masked)
CVE : CAN-2003-0720, CAN-2003-0721
-
---------------------------------------------------------------------------
quote from advisory:
"A remotely exploitable buffer overflow exists within the parsing of the
message/external-body type attribute name/value pairs. Failure to check
that the length of the longest attribute is less than the space
available allows a maliciously formed e-mail message to overwrite
control structures."
"A remotely exploitable integer overflow exists in the parsing of e-mail
headers, allowing for arbitrary code execution upon the opening of a
malicious e-mail."
read the full advisory at:
http://www.idefense.com/advisory/09.10.03.txt
SOLUTION
It is recommended that all Gentoo Linux users who are running
net-mail/pine upgrade to either one of these versions:
pine-4.58 OR
pine-4.58-r1 if accepting "~" keywords.
emerge sync
emerge pine
emerge clean
// end
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)
iD8DBQE/Zqapnt0v0zAqOHYRAr8UAKCM81NvUvMqMIfzN9G4Y1HuLidG3QCgpWcj
LOOzb/LbWW1AeoKeqKjLtyk=3D
=3DrslH
-----END PGP SIGNATURE-----
--=20
Seemant Kulleen
Developer and Project Co-ordinator,
Gentoo Linux http://dev.gentoo.org/~seemant
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0x3458780=
E
Key fingerprint =3D 23A9 7CB5 9BBB 4F8D 549B 6593 EDA2 65D8 3458 780E
--=-pScR4y/r+wpGtLExYfdL
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQA/Zra07aJl2DRYeA4RAvZNAJ0fbKVFfQedF7C51ksoBI2OY0Wj3wCgrMmW
x/F2U/zZtZAnvQmqDBEYCzI=
=K8Uk
-----END PGP SIGNATURE-----
--=-pScR4y/r+wpGtLExYfdL--