COMMAND

    pine

SYSTEMS AFFECTED

    those using pine

PROBLEM

    Following is based on a FreeBSD-SA-00:47 Security Advisory and it
    was originally found by Juhapekka Tolvanen.

    Pine is a popular mail user agent.  The pine4 port, versions  4.21
    and  before,  contained  a  bug  which  would cause the program to
    crash when  processing a  folder which  contains an  email message
    with a malformed X-Keywords header.   The message itself could  be
    deleted within pine  if identified, but  other operations such  as
    closing the folder with the message still present would cause  the
    program to  crash with  no apparent  cause, discarding  changes to
    the mailbox.

    Remote users can cause pine4  to crash when closing a  mail folder
    by sending a malformed email.   If you have not chosen to  install
    the  pine4  port/package,  then  your  system is not vulnerable to
    this problem.

SOLUTION

    The FreeBSD  port of  pine4 was  changed on  2000-07-17 to  use an
    updated version of  the c-client library  which is used  to handle
    the mailbox  processing.   This library  does not  contain the bug
    and versions of pine4 built with it (i.e. ports or packages  dated
    after the correction date) do not suffer from this vulnerability.

    It  may  be  possible  to  use  a  mail  filtering utility such as
    procmail (available in FreeBSD ports as  /usr/ports/mail/procmail)
    to filter out the malformed X-Keywords header from incoming  mail,
    but this solution is not discussed here.

    For FreeBSD:

        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/mail/pine-4.21.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/mail/pine-4.21.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/mail/pine-4.21.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/mail/pine-4.21.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/mail/pine-4.21.tgz