COMMAND

    Pine

SYSTEMS AFFECTED

    Pine 4.21

PROBLEM

    Pavel Kankovsky found following.   An attempt was made to  fix the
    vulnerability.  An unsuccessful one.  For previous bug see:

        http://oliver.efri.hr/~crv/security/bugs/mUNIXes/pine15.html

    The  following  line  in  pine/mailview.c  controls  whether   the
    quoting is done or not:

        if(strpbrk(handle->h.url.path, "&*;<>?[|~$") != NULL){  /* specials?  */

    It is obvious something is wrong: they try to explicitly list  all
    harmful characters and we all know this is the "disaster pattern".
    It is left  as an exercise  for the reader  for find at  least two
    characters not included in the list that have special meaning  for
    the shell.  Special bonus for  finding a character that is not  on
    the list and has  the power to defeat  the effect of quoting  (not
    speaking  about  bash  1.x  \377  bug,  btw.  it  chokes on ``echo
    "$(echo '1`2')"'' as well...another good reason to get rid of it).
    If you  need a  hint, search  the same  function for the following
    line:

        sstrcpy(&cmdp, handle->h.url.path);

SOLUTION

    4.22?