COMMAND

    pine/pico

SYSTEMS AFFECTED

    Mostly systems running Pine 3.96 (at least)

PROBLEM

    Michal Zalewski found  following.  Pico,  an editor included  with
    pine  3.96  package,  handles  vt  control  characters  (eg. 0x9B)
    improperly, so  it's possible  to do  almost anything  when normal
    text  file  is  viewed  with  pico.   Example?   Try  viewing file
    containing only two characters:  0x9B and 0x63... That's not  all,
    pico  is  called  by  pine  when  you're replying to mail message.
    Anyone  may  insert  any  control  chars  (using  quoted-printable
    encoding)  to   his  signature.    Note   how  you   can  get    a
    greater-or-equal sign and a lowercase c in example above which  is
    nothing odd at all.  This because this bug depends entirely on the
    terminal (or emulator) in use.  While 'dumb' terminals are  mostly
    safe (maybe  except DoS  attacks, destruction  of display,  etc) -
    smarter  ones  are  vunerable  to  things  like  parsing arbitrary
    strings as typed from keyboard, changing terminal options, writing
    files and executing arbitrary code (see 'capabilities' section  on
    termcap manpage, then termcap entry for your terminal type).  Most
    of them, if implemented, are available via 0x9B control character.

    Pine shows message expanding it properly, but if you hit  'reply',
    or simply view evil txt file with pico (because pico is called  if
    you're composing message)... Kaboom!

SOLUTION

    Partial  fix  follows  since  it  covers  only  0x9B,  but 0x9B is
    'control character' for almost every newer terminal.

    --- display.c.orig      Wed Jul 10 18:59:09 1996
    +++ display.c   Sat Apr 25 14:23:41 1998
    @@ -266,7 +266,7 @@
            }
             while ((vtcol&0x07) != 0);
         }
    -    else if (c.c < 0x20 || c.c == 0x7F) {
    +    else if (c.c < 0x20 || (c.c >= 0x7F && c.c <= 0x9F)) {
            ac.c = '^';
             vtputc(ac);
            ac.c = (c.c ^ 0x40);