Bug 184074 - CAN-2003-0297 c-client/Pine crash
CAN-2003-0297 c-client/Pine crash
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: pine (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Fedora Legacy Bugs
http://rhn.redhat.com/errata/RHSA-200...
impact=low, LEGACY, rh73, rh90
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-03-05 17:24 EST by Pavel Kankovsky
Modified: 2006-04-24 13:19 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-04-04 20:27:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Bugzilla 97342 None None None Never

  None (edit)
Description Pavel Kankovsky 2006-03-05 17:24:19 EST
"c-client IMAP Client, as used in imap-2002b and Pine 4.53, allows remote
malicious IMAP servers to cause a denial of service (crash) and possibly execute
arbitrary code via certain large (1) literal and (2) mailbox size values that
cause either integer signedness errors or integer overflow errors." (from CVE)

It appears Pine < 4.55 is affected, i.e. 7.3, maybe 9. FC unlikely.

This patch was used to fix Pine in RHEL 2.1:
--snip--
Patch to correct CAN-2003-0297 which could allow a remote malicious IMAP
server to crash Pine by sending a large literal which causes an integer
overflow.  Patch taken from fix in imap-2002c

--- pine4.44/imap/src/c-client/imap4r1.c.orig	Fri Dec  3 05:42:27 2004
+++ pine4.44/imap/src/c-client/imap4r1.c	Fri Dec  3 05:44:03 2004
@@ -3896,7 +3896,12 @@
 
   case '{':			/* if literal string */
 				/* get size of string */ 
-    i = strtoul (*txtptr,txtptr,10);
+    if ((i = strtoul (*txtptr,txtptr,10)) > 0x7fffffff) {
+	sprintf (LOCAL->tmp,"Absurd server literal length %lu",i);
+	mm_log (LOCAL->tmp,WARN);
+	if (len) *len = i;
+	break;
+    }
     if (len) *len = i;		/* set return value */
     if (md && mg) {		/* have special routine to slurp string? */
       if (md->first) {		/* partial fetch? */
--snip--
Comment 1 David Eisenstein 2006-03-06 03:26:29 EST
Thanks, Pavel.  I believe this does affect RHL 7.3 and RHL 9.  It won't affect
the Fedoras because they do not include Pine.

Marking bug to be worked on.
Comment 2 Marc Deslauriers 2006-03-09 17:46:41 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages to QA:

88be7e815d07cb61f0eaf45be0ff984d588eda71  7.3/pine-4.44-19.73.1.legacy.i386.rpm
06c2e191e2aac8adf43d3afe746fb957ef58bcac  7.3/pine-4.44-19.73.1.legacy.src.rpm
cd7ad2746c58cc4254a4032eb50114ac4662ae0c  9/pine-4.44-19.90.1.legacy.i386.rpm
f0f7c7be4749a6f67c3dbdd70e9a59dbe31af4ae  9/pine-4.44-19.90.1.legacy.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/7.3/pine-4.44-19.73.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/pine-4.44-19.90.1.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (GNU/Linux)

iD8DBQFEELI7LMAs/0C4zNoRAvm4AJ9DPaJtQZPths7+khh+7ubkgYxOpgCgqrHg
MJeRS4NDBDmZ9U9wcXdAZTY=
=lm2E
-----END PGP SIGNATURE-----
Comment 3 Pekka Savola 2006-03-10 02:26:11 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes minimal
 - patch verified to come from upstream
 
+PUBLISH RHL73, RHL9
 
06c2e191e2aac8adf43d3afe746fb957ef58bcac  pine-4.44-19.73.1.legacy.src.rpm
f0f7c7be4749a6f67c3dbdd70e9a59dbe31af4ae  pine-4.44-19.90.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFEEStVGHbTkzxSL7QRAkeSAKDQrak0mzRtBmmFz4eoqngRXTRoxQCgtVcV
gORJHjGL1EU/YCVmHLuZ1os=
=B4EV
-----END PGP SIGNATURE-----
Comment 4 Marc Deslauriers 2006-03-15 20:29:43 EST
Packages were pushed to updates-testing.
Comment 5 Pekka Savola 2006-03-16 01:06:05 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA for RHL9.  Signature OK, upgrades OK.  Rpm-build-compare.sh on
the binaries also looks OK.  Basic testing OK.
 
+VERIFY RHL9
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFEGQDpGHbTkzxSL7QRAl7pAJ9B01KiyUx7QItpAqdktfyNXZpYzgCgzauT
HzHJeJ3x2odgeK9WHvUpA80=
=JUkB
-----END PGP SIGNATURE-----
Comment 6 Tom Yates 2006-03-23 07:28:44 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

043112c55f52e5454ab01e52f7a50968016ac6a1  pine-4.44-19.90.1.legacy.i386.rpm

installs OK.  runs OK, although i do most of my PINE serious work from an
FC4 system over imap, so cannot claim to have exhaustedly tested it.

+VERIFY RH9

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEIpXFePtvKV31zw4RArA2AJ9IS5vVa+cl/gFE6oZclSqi0Ypa/wCfWufr
znJnA5JEm7Csa/7zX/gycNU=
=lJQx
-----END PGP SIGNATURE-----
Comment 7 Pekka Savola 2006-03-23 08:26:50 EST
Timeout shortened to 1 week and thus over.
Comment 8 Marc Deslauriers 2006-04-04 20:27:21 EDT
Packages were released to updates.

Note You need to log in before you can comment on or make changes to this bug.