An attacker can send a fully legal email message with a crafted
From-header and thus forcing pine to core dump on startup.
The only way to launch pine is manually removing the bad message
either directly from the spool, or from another MUA. Until the
message has been removed or edited there is no way of accessing
the INBOX using pine.
http://marc.theaimsgroup.com/?l=bugtraq&m=103668430620531&w=2
--
This note is to announce the availability of the Pine Message System version
4.44. The purpose of this release is to fix a security bug with the treatment
of quotes in the URL-handling code. The bug allows a malicious sender to
embed commands in a URL. This bug is present in all versions of UNIX Pine.
There is no vulnerability from this bug in PC-Pine.
- never create an ldap FLAVORized Pico package since it does not pertain
to Pico and do not mistakenly register a dependency on ldap with the
package either
Pine has historically built against an internal copy
of the c-client library, however c-client development
has progressed beyond what is shipped with pine.
(It would appear that all new development work is
being done via UW's imap server codebase.) This change
allows pine to utilize improvements/bugfixes in the
c-client library. A consequence of this change is
that the recently reported vulnerability to BugTraq
regarding malformed X-keywords header has been fixed.
This leads to three packages:
pine, pine+pico, pico
Note that pine does not depend on pico, since it links with the static
libpico library.
The old pine package corresponds to the newer pine+pico package.
- remove FAKE=Yes and license type
- remove configure script and integrate it into the Makefile
- add #!/bin/sh to DEINSTALL
- re-arrange INSTALL script a bit and remove bogus PIDFILE variable