Skip to navigation

Security Advisory Updated pine packages are available

Advisory: RHSA-2002:009-08
Type: Security Advisory
Severity: N/A
Issued on: 2002-01-10
Last updated on: 2002-03-12
Affected Products: Red Hat Linux 6.2
Red Hat Linux 7.0
Red Hat Linux 7.1
Red Hat Linux 7.2
CVEs (cve.mitre.org): CVE-2002-0014

Details

Pine (version 4.43 and earlier) as released with all currently
supported versions of Red Hat Linux (6.2, 7, 7.1, 7.2), contains a URL
handling bug. This bug can allow a malicious attacker to cause arbitrary
commands embedded in a URL to be executed on the users system upon
attempting to view the URL.

The purpose of this release is to fix a security bug with the
treatment of quotes in the URL-handling code. The bug allows a
malicious sender to embed commands in a URL. This bug is present
in all versions of UNIX Pine 4.43 or earlier.

Example: A URL constructed as:

http://www.somewhere.com/'&touch${IFS}/tmp/foo${IFS}/tmp/bar'

would cause the files /tmp/foo and /tmp/bar to be created on the
user's machine if the URL is viewed.

Thanks to zen-parse for discovering and reporting this problem.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0014 to this issue.

All users of Pine are urged to upgrade to this erratum release.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains
the
desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Updated packages

Red Hat Linux 6.2

SRPMS:
pine-4.44-1.62.0.src.rpm
File outdated by:  RHSA-2002:270
    MD5: 38d74c9ded06b9fa9a658bb824df1cf9
 
Alpha:
ftp://updates.redhat.com/rhn/repository/NULL/pine/4.44-1.62.0/alpha/pine-4.44-1.62.0.alpha.rpm
Missing file
    MD5: 36fc86f10a4035248fa78b78e6112611
 
IA-32:
pine-4.44-1.62.0.i386.rpm
File outdated by:  RHSA-2002:270
    MD5: 48d8bd73b783e03b9dd00cb72452837e
 
Sparc:
ftp://updates.redhat.com/rhn/repository/NULL/pine/4.44-1.62.0/sparc/pine-4.44-1.62.0.sparc.rpm
Missing file
    MD5: 4237f4efd8c54eb9da4bda57bc593527
 
Red Hat Linux 7.0

SRPMS:
pine-4.44-1.70.0.src.rpm
File outdated by:  RHSA-2002:270
    MD5: 3107591d48fbfc295592f6149402c4b7
 
Alpha:
ftp://updates.redhat.com/rhn/repository/NULL/pine/4.44-1.70.0/alpha/pine-4.44-1.70.0.alpha.rpm
Missing file
    MD5: 996dc3e3e34b65a7b7346e1d7a19e02c
 
IA-32:
pine-4.44-1.70.0.i386.rpm
File outdated by:  RHSA-2002:270
    MD5: f719250bc6bcdde0cb38d10360a10e7d
 
Red Hat Linux 7.1

SRPMS:
pine-4.44-1.71.0.src.rpm
File outdated by:  RHSA-2003:273
    MD5: 05dfaf528c63c5e7b54b494d273732a8
 
Alpha:
ftp://updates.redhat.com/rhn/repository/NULL/pine/4.44-1.71.0/alpha/pine-4.44-1.71.0.alpha.rpm
Missing file
    MD5: 0a4e1763877ed1e7cedb40dd9fd61658
 
IA-32:
pine-4.44-1.71.0.i386.rpm
File outdated by:  RHSA-2003:273
    MD5: 5ce45ce475b2d5b2a7499af5b5447ae5
 
IA-64:
ftp://updates.redhat.com/rhn/repository/NULL/pine/4.44-1.71.0/ia64/pine-4.44-1.71.0.ia64.rpm
Missing file
    MD5: abebd7f2b465955c38d11a5321b2e882
 
Red Hat Linux 7.2

SRPMS:
pine-4.44-1.72.0.src.rpm
File outdated by:  RHSA-2003:273
    MD5: 8582de73eb94e6f1c4581fd76b8f1dfd
 
IA-32:
pine-4.44-1.72.0.i386.rpm
File outdated by:  RHSA-2003:273
    MD5: b9d697321f317895f6d96bf7f73db187
 
IA-64:
pine-4.44-1.72.0.ia64.rpm
File outdated by:  RHSA-2003:273
    MD5: b42b41734a7c15a64deb820b1353ac06
 
s390:
ftp://updates.redhat.com/rhn/repository/NULL/pine/4.44-1.72.0/s390/pine-4.44-1.72.0.s390.rpm
Missing file
    MD5: 99ea3e93f3d99f68c882dcef5fa2a555
 

References


Keywords

pine, url, vulnerability


These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/