From owner-freebsd-security Mon Sep 18 9:29:51 2000 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id B00FD37B423; Mon, 18 Sep 2000 09:29:46 -0700 (PDT) Received: (from root@localhost) by giganda.komkon.org (8.9.3/8.9.3) id MAA16045; Mon, 18 Sep 2000 12:29:45 -0400 (EDT) (envelope-from str) Date: Mon, 18 Sep 2000 12:29:45 -0400 (EDT) From: Igor Roshchin Message-Id: <200009181629.MAA16045@giganda.komkon.org> To: security-advisories@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: FreeBSD Ports Security Advisory: FreeBSD-SA-00:47.pine Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Would somebody, please, clarify if the older pine3 port is also vulnerable ? I know that it is no longer supported in the ports collection, but it is still being used. Since pine3 port is not formally a pine4 port, although its version is before 4.21, it is not clear if this bug existed since the 3.xx period or it was introduced in 4.xx version. Thanks, Igor > -----BEGIN PGP SIGNED MESSAGE----- > > ============================================================================= > FreeBSD-SA-00:47 Security Advisory > FreeBSD, Inc. > > Topic: pine4 port allows denial of service > > Category: ports > Module: pine4 > Announced: 2000-09-13 > Affects: Ports collection. > Corrected: 2000-07-17 > Credits: Juhapekka Tolvanen > Vendor status: Contacted > FreeBSD only: NO > > I. Background > > Pine is a popular mail user agent. > > II. Problem Description > > The pine4 port, versions 4.21 and before, contained a bug which would > cause the program to crash when processing a folder which contains an > email message with a malformed X-Keywords header. The message itself > could be deleted within pine if identified, but other operations such > as closing the folder with the message still present would cause the > program to crash with no apparent cause, discarding changes to the > mailbox. > > The FreeBSD port of pine4 was changed on 2000-07-17 to use an updated > version of the c-client library which is used to handle the mailbox > processing. This library does not contain the bug and versions of > pine4 built with it (i.e. ports or packages dated after the correction > date) do not suffer from this vulnerability. > > The pine4 port is not installed by default, nor is it "part of > FreeBSD" as such: it is part of the FreeBSD ports collection, which > contains over 3800 third-party applications in a ready-to-install > format. The ports collections shipped with FreeBSD 4.1 and 3.5.1 > contain this problem since it was discovered after the releases. > > FreeBSD makes no claim about the security of these third-party > applications, although an effort is underway to provide a security > audit of the most security-critical ports. > > III. Impact > > Remote users can cause pine4 to crash when closing a mail folder by > sending a malformed email. > > If you have not chosen to install the pine4 port/package, then > your system is not vulnerable to this problem. > > IV. Workaround > > Deinstall the pine4 port/package, if you have installed it. > > It may be possible to use a mail filtering utility such as procmail > (available in FreeBSD ports as /usr/ports/mail/procmail) to filter out > the malformed X-Keywords header from incoming mail, but this solution > is not discussed here. > > V. Solution > > One of the following: > > 1) Upgrade your entire ports collection and rebuild the pine4 port. > > 2) Deinstall the old package and install a new package dated after the > correction date, obtained from: > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/mail/pine-4.21.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/mail/pine-4.21.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/mail/pine-4.21.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/mail/pine-4.21.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/mail/pine-4.21.tgz > > NOTE: Be sure to check the file creation date on the package, because > the version number of the software has not changed. > > 3) download a new port skeleton for the listmanager port from: > > http://www.freebsd.org/ports/ > > and use it to rebuild the port. > > 4) Use the portcheckout utility to automate option (3) above. The > portcheckout port is available in /usr/ports/devel/portcheckout or the > package can be obtained from: > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.2 > > iQCVAwUBOb/kgFUuHi5z0oilAQEwgAQAnYgLOfvgfM88DLjUXgoZBkVRoroeU8rz > 2DXUw4LEQ6ARzruWPepALW2Yls+g5SraDCLHmuTo6tb3vR6kwQ97gQmzNCNDxK9T > /5m4EFYo2ErTOB4nO/MqepJ+/0t4oBPByhaRjQBSqQncaN4FIkWgboqfpbYdL6HC > cnQSlc+0FPs= > =R2n+ > -----END PGP SIGNATURE----- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > [Decrypting message... End of raw data.] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message