[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: buffer overflow in pine <= 4.21

On Fri, Nov 03, 2000 at 06:15:16PM +0100, Robert Varga wrote:
> is the debianized pine4.21 vulnerable to the long From address buffer
> overflow vulnerability, which is corrected in 4.30 upstream?

pine is riddled with buffer overflows, its considered unfixable
without totally throwing away 100% of the code and starting over.  why
would anyone do that when we have mutt which is a far superior and
Free replacement.

try this:


$ export HOME=`perl -e 'print "a" x 10000'`

$ pine

it should segfault.  good indication of a buffer overflow there. 

if you won't apt-get --purge remove pine remove the setgid bit.  pine
appears to function without it.  but that is no protection for users
who choose to use it.  

best advice: switch to mutt.  you can configure mutt to act like

Ethan Benson

Attachment: pgpz87NDdZKW0.pgp
Description: PGP signature

Reply to: