A security problem was found in versions of Pine prior to 4.50. Pine does
no allocate enough memory for the parsing and escaping of the "From"
header, allowing a carefully crafted email to cause a buffer overflow on
the heap that will make Pine crash.
People reading this report may be a bit curious about the fix that Red Hat
and pretty much all other vendors are currently using, due to the timing
This bug was found prior to pine 4.50 being released, and the patch which
fixes pine 4.44 and earlier is what we have applied to pine 4.44 in order to
resolve this issue with minimal impact.
Some users have asked why Red Hat has not released a pine 4.50 update since
it also fixes this issue. Since this is a security issue, what is most
important is that the specific security issue is fixed, and nothing else
is changed. That provides Red Hat customers with a new bug fixed version
of the version of pine that they are already using, and it comes with no
pine 4.50 is brand new, and as such may contain instabilities or other
new bugs due to it being a brand new release just released to the general
public, and not yet having widespread testing.
As such, releasing pine 4.50 instead of the bug fixed pine 4.44 could
cause a software regression, and that isn't an acceptable solution for
Red Hat's stable OS products. We've chosen to fix the bug instead by
patching it, and providing a known stable package as an update.
Some users are curious about when Red Hat will release pine 4.50 for
the various Red Hat OS products. pine 4.50 or some later version
will appear in a future Red Hat Linux product at some point, once
it is considered stable for inclusion and has had adequate beta
testing. There are no plans for shipping a pine 4.50 enhancement
update for any Red Hat Linux products at this time, however over time
if the new version of pine proves itself to be as stable and reliable
as pine 4.44 is, then we may consider releasing an enhancement. There
are currently no plans however to do so.
This problem has been fixed and in QA testing. I've updated the bug
summary to be more accurate, and closing this as fixed in erratum, as
the new erratum should be released very soon.
This bug is used for tracking security issues in Advanced Server; reopening
until the errata ships (at which time the bug will be closed automatically)
Closed automatically by what? ;o)
The erratum has been released already.