COMMAND

    pine

SYSTEMS AFFECTED

    Systems running Pine 3.95...4.02

PROBLEM

    Chris  Wilson   discovered  a  vulnerability  in  Pine,  tested on
    version 3.95q, but  which probably applies  to all versions  up to
    4.02.   This vulnerability  allows users  to bypass  site policies
    and use Pine to run arbitrary  commands in the user's name.   Many
    sites  use  site  policies  to  disable  this, in order to prevent
    users from running  arbitrary commands.   The vulnerability is  as
    follows: when setting up a  printer, it is possible to  choose the
    "Personally selected  print command"  option. This  allows you  to
    specify a command which Pine  will run whenever it needs  to print
    a document.  By changing the value of this setting, it is possible
    to have an arbitrary command run  for you when you print, say,  an
    e-mail.   Therefore,  system  administrators  usually disable this
    ability with an option in their pine.conf.fixed file.  When the SA
    has done  this, users  cannot choose  a custom  print command  for
    themselves using Pine's Printer Setup.  However, if they  manually
    modify their .pinerc file, adding a line such as:

        printer=test [] echo Hello there! > test

    then this will override the Site Policies and, when a file is next
    printed from Pine, the  command will be executed  in contravention
    to the Site Policy.

    Matt Watson found another way of bypassing SP with Pine.  This can
    also be done  using the spell  checker, if you  enter "/bin/sh" as
    your custom  spell checker,  then compose  a message  and in  that
    message  put  "/bin/sh"  as  the  content  then run the checker by
    hitting ctrl-t, you will be prompted with a shell prompt.  However
    this is useless on most systems  as the user has a shell  to being
    with, but  on some  systems they  give out  "pine accounts" having
    there default shell set to pine which gives them no shell  access.
    But if  they were  to do  the above  they would  get to  the shell
    prompt.  This has been tested on 3.96.

SOLUTION

    First  vulnerability  was  correxted  by  releasing a new version,
    4.03, which fixed the bug.  The new version is available from:

        ftp://ftp.cac.washington.edu/pine/pine.tar.Z

    It is recommended that  all systems which restrict  users' ability
    to run arbitrary  commands and allow  them to run  Pine, should be
    upgraded to Pine 4.03.   As for second problem,  there is no  info
    was it fixed in 4.03.