[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: buffer overflow in pine <= 4.21

On Mon, Nov 06, 2000 at 09:54:03AM +0100, Thomas Gebhardt wrote:

> > it should segfault.  good indication of a buffer overflow there.
> While this kind of buffer overflow is nasty, (as far as I can see)
> from a security point of view it is rather harmless.

not if the program is question is setuid or setgid, in those cases a
user may be able to exploit the overflow to obtain elevated
privileges.   note that the .debs created by the debian pine-src
packages install pine setgid mail (uncessarily AFAICT).

> If you can get pine to execute arbitrary code just by sending a
> malicous mail, that's really dangerous. 


Ethan Benson

Attachment: pgpLMyPItlbBF.pgp
Description: PGP signature

Reply to: