Date: Mon, 8 Feb 1999 21:19:29 +0000
From: Chris Evans <chris@FERRET.LMH.OX.AC.UK>
To: BUGTRAQ@netspace.org
Subject: Pine _again_ :)

Hi,

PINE seems to be flavour of the month so I'll add to Michal's post. This
is much less serious than Michal's problem but probably noteworthy anyway.

PINE can be made to crash if /var/spool/mail/<who> contains a line along
the lines of

"From AAAAAAAAAAAA" where the A's number ~10000. If you are lucky your
MTA will truncate this line safely, preventing remote exploit.

I discovered this by "accident" playing with procmail locally - procmail
places no limits on what junk you can inject into other peoples'
mailboxes.

The affected pine version is 4.04 as comes with RedHat 5.2. Pine 4.10
untested. If someone wants to test it and can't get it to work contact me
for a ready made MBOX file. To get the crash to happen I _think_ the
message has to be viewed. But that's what people tend to do with mail ;-)
The actual crash occurs when the product exits.

The overflow isn't onto the stack but there are definite exploit
opportunities. On i386 and 100,000 A's, the core dump indicates
edi=0x41414141 which suggests we can copy data to an arbitrary location in
virtual memory.

Cheers
Chris