The so-called "remote exploit in pine"
severity 33099 normal
severity 33210 normal
reassign 33099 general
reassign 33210 general
merge 33099 33210
I have been unable to reproduce the problem reported in Bug#33099.
If I'm not mistaken, to deal with this we would have to check that all our
printcap entries are safe (hence the "general" reassignement).
I will let the Debian security experts to decide about the severity of
these bugs (previously 33099 was "critical" and 33210 "normal").
Thanks.
Date: Wed, 10 Feb 1999 18:21:11 -0800 (Pacific Standard Time)
From: Pine Development Team <pine@cac.washington.edu>
To: BUGTRAQ@netspace.org, pine-announce@cac.washington.edu
Organization: University of Washington; Computing & Communications
Subject: So-called "remote exploit in pine"
Many of you have inquired about a recent widely-distributed message
describing a "remote exploit in pine", specifically, a "vunerability in
metamail package used with pine" and a claim that the '`' character "is
incorrectly expanded by pine".
We believe the following to be true:
o There is indeed a vulnerability in the default *mailcap* file
distributed with the popular metamail MIME-support package.
o This same mailcap file has in the past been included in Pine
distributions as a sample; however, this sample file is not used by
Pine unless it is manually installed and renamed.
o While the metamail package *can* be used with Pine, Pine does not
*require* the installation of metamail.
o If a site chooses to install metamail, they should definitely expunge
the dangerous entries from the default mailcap file. Such a corrected
mailcap file is attached.
o If correcting the system mailcap file is not immediately possible,
users may wish to set Pine's "mailcap-search-path" variable to a
personal mailcap file path. (See Pine's Main/Setup/Config screen.)
o Everyone should beware of offered workarounds in the form of Pine
patches that simply insert the shell-escape character before any
substituted back-quotes, as this only results in moving the problem
down one level of shell-nesting.
o PC-Pine users are not vulnerable to these dangerous mailcap entries.
We do not agree that the '`' character "is incorrectly expanded by pine".
Rather, we believe that Pine correctly implements RFC-1524. However, it
is possible to modify Pine to preclude mailcap parameter substitution and
thereby avoid mailcap risks at sites where faulty mailcap files may be
installed. A patch to do this is attached. Obviously, this patch will
also break any legitimate mailcap entries that depend on parameter
substitution.
While one could modify Pine to guard against the particular exploit
permitted by the mailcap entries in question, it is very difficult to
conceive of a truly safe "paranoid mode" other than disabling parameter
substitution entirely. However, we suspect most people will find it far
easier to remove any unsafe entries from their mailcap configuration file.
Sincerely,
Pine Development Team
University of Washington
[ mailcap.sample and patches snipped. Available in bug #33210 ]
--
"9e89e791af9cdfbb98a40615f06c34e8" (a truly random sig)
Reply to: