Security Advisory pine security update

Advisory: RHSA-2002:271-08
Type: Security Advisory
Severity: Moderate
Issued on: 2003-02-06
Last updated on: 2003-02-05
Affected Products: Red Hat Enterprise Linux AS (v. 2.1)
Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor
OVAL: N/A
CVEs (cve.mitre.org): CVE-2002-1320

Details

A vulnerability in Pine version 4.44 and earlier releases can cause
Pine to crash when sent a carefully crafted email.

[Updated 06 Feb 2003]
Added fixed packages for Advanced Workstation 2.1

Pine, developed at the University of Washington, is a tool for reading,
sending, and managing electronic messages (including mail and news).

A security problem was found in versions of Pine 4.44 and earlier. In these
verions, Pine does not allocate enough memory for the parsing and escaping
of the "From" header, allowing a carefully crafted email to cause a
buffer overflow on the heap. This will result in Pine crashing.

All users of Pine on Red Hat Linux Advanced Server are advised to
update to these errata packages containing a patch to version 4.44
of Pine that fixes this vulnerability.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

Please note that this update is available via Red Hat Network. To use Red
Hat Network, launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Updated packages

Red Hat Enterprise Linux AS (v. 2.1)
SRPMS:
pine-4.44-7.21AS.0.src.rpm
File outdated by:  RHSA-2005:015		     e34e20adbf4c5c2fcb0326d49f33e8a3
 
IA-32:
pine-4.44-7.21AS.0.i386.rpm
File outdated by:  RHSA-2005:015		     5addc2e77b38e2ec36f35d46876186ab
 
IA-64:
pine-4.44-7.21AS.0.ia64.rpm
File outdated by:  RHSA-2005:015		     3ab56c51ad656204d153752b6f9ade45
 
Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor
SRPMS:
pine-4.44-7.21AS.0.src.rpm
File outdated by:  RHSA-2005:015		     e34e20adbf4c5c2fcb0326d49f33e8a3
 
IA-64:
pine-4.44-7.21AS.0.ia64.rpm
File outdated by:  RHSA-2005:015		     3ab56c51ad656204d153752b6f9ade45
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

78768 - Security issue in Pine 4.44 and older releases


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1320
http://www.washington.edu/pine/changes/4.44-to-4.50.html
http://marc.theaimsgroup.com/?l=bugtraq&m=103668430620531&w=2

Keywords

crash, denial, DoS, flaw:buf, of, pine, service, vulnerable

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/