Bug 162899 (CVE-2002-1903)

Summary: CVE-2002-1903 pine username disclosure issue
Product: [Other] Security Response Reporter: Josh Bressers <bressers>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-03-09 08:58:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Josh Bressers 2005-07-11 15:19:41 UTC 
This text is taken from here:
http://archives.neohapsis.com/archives/bugtraq/2002-06/0053.html
From: Roger Marquis

    The Pine email client allows users to define the "From:"
    address independent of their Unix username. This is an
    indispensable feature for help desks and other role accounts.

    Unfortunately, user names and/or ids can still be leaked due to
    Pine's insertion of "Sender:" and/or "X-Sender:" headers. Pine
    versions earlier than 4.44 may also insert the Unix username
    into other envelope and header fields. 


That message also contains a patch for this issue.
Comment 2 Mark J. Cox 2007-07-20 12:02:53 UTC 
This is a debatable security issue, it's the way many mailers worked, it was
documented behaviour, and is of minimal security consequence.  It's not worth
issuing a security update for RHEL2.1 to correct this issue.  wontfix.