Hi, PINE seems to be flavour of the month so I'll add to Michal's post. This is much less serious than Michal's problem but probably noteworthy anyway. PINE can be made to crash if /var/spool/mail/<who> contains a line along the lines of "From AAAAAAAAAAAA" where the A's number ~10000. If you are lucky your MTA will truncate this line safely, preventing remote exploit. I discovered this by "accident" playing with procmail locally - procmail places no limits on what junk you can inject into other peoples' mailboxes. The affected pine version is 4.04 as comes with RedHat 5.2. Pine 4.10 untested. If someone wants to test it and can't get it to work contact me for a ready made MBOX file. To get the crash to happen I _think_ the message has to be viewed. But that's what people tend to do with mail ;-) The actual crash occurs when the product exits. The overflow isn't onto the stack but there are definite exploit opportunities. On i386 and 100,000 A's, the core dump indicates edi=0x41414141 which suggests we can copy data to an arbitrary location in virtual memory. Cheers Chris
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:33:18 PDT