8th Nov 2002 [SBWID-5798]
COMMAND

	Remote Pine DoS

SYSTEMS AFFECTED

	Pine version 4.44

PROBLEM

	Linus Sjöberg (lsjoberg@aland.net) :
	
	An attacker can  send  a  fully  legal  email  message  with  a  crafted
	From-header and thus forcing pine to core dump on startup. The only  way
	to launch pine is manually removing  the  bad  message  either  directly
	from the spool, or from another MUA. Until the message has been  removed
	or edited there is no way of accessing the INBOX using pine.
	
	 Description
	 ***********
	
	When pine detects an email with a From-header looking like
	
	From: 
	"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\""@host.fubar
	
	it will die with a segmentation fault. Note that the  address  is  fully
	legal, even if quite unusable.
	
	When i reproduced the problem with a pine running within gdb I  got  the
	following backtrack:
	
	#0  0x401ea490 in chunk_free (ar_ptr=0x4029e300, p=0x83b65d8) at 
	malloc.c:3231
	#1  0x401ea3f4 in __libc_free (mem=0x83b65e0) at malloc.c:3154
	#2  0x081ef8e2 in fs_give (block=0xbfffb9b8) at fs_unix.c:60
	#3  0x080feb4f in set_index_addr 
	    (idata=0xbfffc8c0, field=0x83012d8 "From", 
	    addr=0x83b6160, prefix=0x0, width=18, 
	    s=0xbfffbd11 
	    "\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\"\\\b`´:\bX½^?¿ïø\036\b")
	    at mailindx.c:4508
	#4  0x080fb397 in format_index_line (idata=0xbfffc8c0) at mailindx.c:3376
	#5  0x080f9ec4 in build_header_line (state=0x839f260, stream=0x83aba88, 
	    msgmap=0x83a17b0, msgno=40) at mailindx.c:2761
	#6  0x080f71e3 in update_index (state=0x839f260, screen=0xbfffcb90)
	    at mailindx.c:1264
	#7  0x080f576c in index_lister (state=0x839f260, cntxt=0x83a8d28, 
	    folder=0x839f325 "INBOX", stream=0x83aba88, msgmap=0x83a17b0)
	    at mailindx.c:603
	#8  0x080f5347 in mail_index_screen (state=0x839f260) at mailindx.c:452
	#9  0x081588e6 in main (argc=1, argv=0xbfffddc4) at pine.c:1122
	#10 0x40185657 in __libc_start_main (main=0x8156974 <main>, argc=1, 
	    ubp_av=0xbfffddc4, init=0x804ab28 <_init>, fini=0x8225c70 <_fini>, 
	    rtld_fini=0x4000dcd4 <_dl_fini>, stack_end=0xbfffddbc)
	    at ../sysdeps/generic/libc-start.c:129
	
	Since pine dumped core it might be  possible  to  execute  code  on  the
	victims machine, but since I am not into those kind  of  games  I  leave
	that part for others to find out.

SOLUTION

	Washington University replied to my  posting  within  a  few  hours  and
	reported that the issue was to be fixed in version 4.50. They  have  not
	yet made such a version publicly available after 1½  month,  so  I  have
	chosen to go public with this advisory even if there  is  no  patch  yet
	available.
	
	 http://www.washington.edu/pine/