From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 30909 invoked by uid 1002); 16 Sep 2003 07:39:24 -0000 Mailing-List: contact gentoo-announce-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-announce@gentoo.org Received: (qmail 12786 invoked from network); 16 Sep 2003 07:08:32 -0000 From: Seemant Kulleen To: gentoo-announce@gentoo.org Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-pScR4y/r+wpGtLExYfdL" Organization: Gentoo Linux Message-Id: <1063696052.10345.60.camel@localhost> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.4 Date: Tue, 16 Sep 2003 00:07:32 -0700 Subject: [gentoo-announce] GLSA 200309-10: Pine X-Archives-Salt: 3c6251fe-e738-47ec-917c-9d23b86e1d47 X-Archives-Hash: 6ba3847c05682c96dfee07f93040a255 --=-pScR4y/r+wpGtLExYfdL Content-Type: text/plain Content-Transfer-Encoding: quoted-printable -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------------- GENTOO LINUX SECURITY ANNOUNCEMENT 200309-10 - --------------------------------------------------------------------------- PACKAGE : net-mail/pine SUMMARY : buffer overflow, integer overflow DATE : 2003-09-16 05:58 UTC EXPLOIT : remote VERSIONS AFFECTED : =3Dpine-4.58 >=3Dpine-4.58-r1(masked) CVE : CAN-2003-0720, CAN-2003-0721 - --------------------------------------------------------------------------- quote from advisory: "A remotely exploitable buffer overflow exists within the parsing of the message/external-body type attribute name/value pairs. Failure to check that the length of the longest attribute is less than the space available allows a maliciously formed e-mail message to overwrite control structures." "A remotely exploitable integer overflow exists in the parsing of e-mail headers, allowing for arbitrary code execution upon the opening of a malicious e-mail." read the full advisory at: http://www.idefense.com/advisory/09.10.03.txt SOLUTION It is recommended that all Gentoo Linux users who are running net-mail/pine upgrade to either one of these versions: pine-4.58 OR pine-4.58-r1 if accepting "~" keywords. emerge sync emerge pine emerge clean // end -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (Darwin) iD8DBQE/Zqapnt0v0zAqOHYRAr8UAKCM81NvUvMqMIfzN9G4Y1HuLidG3QCgpWcj LOOzb/LbWW1AeoKeqKjLtyk=3D =3DrslH -----END PGP SIGNATURE----- --=20 Seemant Kulleen Developer and Project Co-ordinator, Gentoo Linux http://dev.gentoo.org/~seemant Public Key: http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0x3458780= E Key fingerprint =3D 23A9 7CB5 9BBB 4F8D 549B 6593 EDA2 65D8 3458 780E --=-pScR4y/r+wpGtLExYfdL Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQA/Zra07aJl2DRYeA4RAvZNAJ0fbKVFfQedF7C51ksoBI2OY0Wj3wCgrMmW x/F2U/zZtZAnvQmqDBEYCzI= =K8Uk -----END PGP SIGNATURE----- --=-pScR4y/r+wpGtLExYfdL--