On Mon, Nov 06, 2000 at 09:54:03AM +0100, Thomas Gebhardt wrote: > > it should segfault. good indication of a buffer overflow there. > > While this kind of buffer overflow is nasty, (as far as I can see) > from a security point of view it is rather harmless. not if the program is question is setuid or setgid, in those cases a user may be able to exploit the overflow to obtain elevated privileges. note that the .debs created by the debian pine-src packages install pine setgid mail (uncessarily AFAICT). > If you can get pine to execute arbitrary code just by sending a > malicous mail, that's really dangerous. indeed. -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpLMyPItlbBF.pgp
Description: PGP signature