netbsd-bugs: pkg/19239: mail/pine is insecure

Subject: pkg/19239: mail/pine is insecure
To: None <gnats-bugs@gnats.netbsd.org>
From: None <reed@reedmedia.net>
List: netbsd-bugs
Date: 12/02/2002 10:28:39

>Number:         19239
>Category:       pkg
>Synopsis:       pine<4.50 has security issues
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    pkg-manager
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Mon Dec 02 10:29:00 PST 2002
>Closed-Date:
>Last-Modified:
>Originator:     
>Release:        NetBSD 1.6
>Organization:
http://bsd.reedmedia.net/
>Environment:
	
	
System: NetBSD rainier.reedmedia.net 1.6 NetBSD 1.6 (JCR-20020927) #3: Sat Sep 28 13:40:20 PDT 2002 reed@rainier.reedmedia.net:/usr/src/sys/arch/i386/compile/JCR-20020927 i386
Architecture: i386
Machine: i386
>Description:
Pine has security issues.
Messages to bugtraq confirmed that
"An attacker can send a fully legal email message with a crafted
From-header and thus forcing pine to core dump on startup."

CAN-2002-1320

Maybe it can be exploited.
>How-To-Repeat:
	
>Fix:
The 4.50 version apparently fixes the problem.

Either add patch to existing pine-4.44 and add PKGREVISION;
and add to vulnerabilities:
pine<=4.44	denial-of-service	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1320

Or update to 4.50.
pine<=4.50	denial-of-service	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1320

Since the pine webpage says their are multiple bugs fixed,
it is probably a good idea to just go to 4.50 (and hope
nothing else is broken).
>Release-Note:
>Audit-Trail:
>Unformatted: