Bug 78768

Summary: Security issue in Pine 4.44 and older releases
Product: Red Hat Enterprise Linux 2.1 Reporter: Mark J. Cox <mjc>
Component: pineAssignee: Mike A. Harris <mharris>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 2.1CC: mharris
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2003-01-12 02:53:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mark J. Cox 2002-11-29 14:38:26 UTC 
A security problem was found in versions of Pine prior to 4.50. Pine does
no allocate enough memory for the parsing and escaping of the "From"
header, allowing a carefully crafted email to cause a buffer overflow on
the heap that will make Pine crash. 

http://marc.theaimsgroup.com/?l=bugtraq&m=103668430620531&w=2
Comment 1 Mike A. Harris 2002-12-02 09:12:31 UTC 
People reading this report may be a bit curious about the fix that Red Hat
and pretty much all other vendors are currently using, due to the timing
of things.

This bug was found prior to pine 4.50 being released, and the patch which
fixes pine 4.44 and earlier is what we have applied to pine 4.44 in order to
resolve this issue with minimal impact.

Some users have asked why Red Hat has not released a pine 4.50 update since
it also fixes this issue.  Since this is a security issue, what is most
important is that the specific security issue is fixed, and nothing else
is changed.  That provides Red Hat customers with a new bug fixed version
of the version of pine that they are already using, and it comes with no
surprises.

pine 4.50 is brand new, and as such may contain instabilities or other
new bugs due to it being a brand new release just released to the general
public, and not yet having widespread testing.

As such, releasing pine 4.50 instead of the bug fixed pine 4.44 could
cause a software regression, and that isn't an acceptable solution for
Red Hat's stable OS products.  We've chosen to fix the bug instead by
patching it, and providing a known stable package as an update.

Some users are curious about when Red Hat will release pine 4.50 for
the various Red Hat OS products.  pine 4.50 or some later version
will appear in a future Red Hat Linux product at some point, once
it is considered stable for inclusion and has had adequate beta
testing.  There are no plans for shipping a pine 4.50 enhancement
update for any Red Hat Linux products at this time, however over time
if the new version of pine proves itself to be as stable and reliable
as pine 4.44 is, then we may consider releasing an enhancement.  There
are currently no plans however to do so.
Comment 2 Mike A. Harris 2002-12-20 08:16:29 UTC 
This problem has been fixed and in QA testing.  I've updated the bug
summary to be more accurate, and closing this as fixed in erratum, as
the new erratum should be released very soon.
Comment 3 Mark J. Cox 2002-12-20 08:20:57 UTC 
This bug is used for tracking security issues in Advanced Server; reopening
until the errata ships (at which time the bug will be closed automatically)
Comment 4 Mike A. Harris 2003-01-12 02:53:58 UTC 
Closed automatically by what?  ;o)

The erratum has been released already.