[FUGSPBR] Fw: FreeBSD Ports Security Advisory FreeBSD-SA-02:05.pine
Vitor de M. Carvalho
vitor em softinfo.com.br
Sáb Jan 5 00:10:07 BRST 2002
Atenciosamente,
Vitor de M. Carvalho
System Network Administrator - Softinfo Network
FreeBSD - The Power To Serve
ICQ - 41747397
----- Original Message -----
From: "FreeBSD Security Advisories" <security-advisories em FreeBSD.ORG>
To: "FreeBSD Security Advisories" <security-advisories em FreeBSD.ORG>
Sent: Friday, January 04, 2002 11:04 PM
Subject: FreeBSD Ports Security Advisory FreeBSD-SA-02:05.pine
> -----BEGIN PGP SIGNED MESSAGE-----
>
>
============================================================================
=
> FreeBSD-SA-02:05 Security
Advisory
> FreeBSD,
Inc.
>
> Topic: pine port insecure URL handling
>
> Category: ports
> Module: pine
> Announced: 2002-01-04
> Credits: zen-parse <zen-parse em gmx.net>
> Affects: Ports collection prior to the correction date
> Corrected: 2001-10-05 08:41:39 UTC
> FreeBSD only: NO
>
> I. Background
>
> PINE is an application for reading mail and news.
>
> II. Problem Description
>
> The pine port, versions previous to pine-4.40, handles URLs in
> messages insecurely. PINE allows users to launch a web browser to
> visit a URL embedded in a message. Due to a programming error, PINE
> does not properly escape meta-characters in the URL before passing it
> to the command shell as an argument to the web browser.
>
> The pine port is not installed by default, nor is it "part of FreeBSD"
> as such: it is part of the FreeBSD ports collection, which contains
> over 6000 third-party applications in a ready-to-install format. The
> ports collection shipped with FreeBSD 4.4 contains this problem since
> it was discovered after the release.
>
> FreeBSD makes no claim about the security of these third-party
> applications, although an effort is underway to provide a security
> audit of the most security-critical ports.
>
> III. Impact
>
> An attacker can supply commands enclosed in single quotes ('') in a
> URL embedded in a message sent to the victim. If the user then
> decides to view the URL, PINE will launch a command shell which will
> then execute the attacker's commands with the victim's privileges. It
> is possible to obfuscate the URL so that it will not necessarily seem
> dangerous to the victim.
>
> IV. Workaround
>
> 1) Deinstall the pine port/package if you have it installed.
>
> V. Solution
>
> 1) Upgrade your entire ports collection and rebuild the port.
>
> 2) Deinstall the old package and install a new package dated after the
> correction date, obtained from the following directories:
>
> [i386]
>
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/mail/pine-4.4
3.tgz
>
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/mail/pine-4.
43.tgz
>
> [alpha]
> Packages are not automatically generated for the alpha architecture at
> this time due to lack of build resources.
>
> 3) Download a new port skeleton for the pine port from:
>
> http://www.freebsd.org/ports/
>
> and use it to rebuild the port.
>
> 4) Use the portcheckout utility to automate option (3) above. The
> portcheckout port is available in /usr/ports/devel/portcheckout or the
> package can be obtained from:
>
>
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portche
ckout-2.0.tgz
>
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portch
eckout-2.0.tgz
>
> VI. Correction details
>
> The following list contains the $FreeBSD$ revision numbers of each
> file that was corrected in the FreeBSD source
>
> Path Revision
> - ------------------------------------------------------------------------
-
> ports/mail/pine4/Makefile 1.58
> ports/mail/pine4/distinfo 1.18
> ports/mail/pine4/files/patch-aa 1.4
> ports/mail/pine4/files/patch-ac 1.11
> ports/mail/pine4/files/patch-af 1.12
> ports/mail/pine4/files/patch-ai 1.11
> ports/mail/pine4/files/patch-aj 1.5
> ports/mail/pine4/files/patch-ak 1.6
> ports/mail/pine4/files/patch-al 1.10
> ports/mail/pine4/files/patch-am 1.6
> ports/mail/pine4/files/patch-an 1.5
> ports/mail/pine4/files/patch-ap 1.3
> ports/mail/pine4/files/patch-at 1.6
> ports/mail/pine4/files/patch-au 1.4
> ports/mail/pine4/files/patch-ax 1.4
> ports/mail/pine4/files/patch-az 1.3
> ports/mail/pine4/files/patch-be 1.1
> ports/mail/pine4/files/patch-bf 1.1
> ports/mail/pine4/files/patch-bg 1.1
> ports/mail/pine4/files/patch-reply.c 1.2
> - ------------------------------------------------------------------------
-
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (FreeBSD)
> Comment: For info see http://www.gnupg.org
>
> iQCVAwUBPDZOCFUuHi5z0oilAQG65gQAjdGuLydxrCswe9trnfOXIKqTkYll/iP7
> 7atJipzI+RvYjCzNu/nVItCM+jjGSDvSzF1/OUStAUNM2OZY7hqneSPHed8wTyX8
> BU7ZNVlLEDsoZc1nWkUpqBkacPLPq6F7k1YbzMO1xVqIzewmXTpaQzmoKNW/ndIO
> T108lLHqDVE=
> =Ry2Q
> -----END PGP SIGNATURE-----
>
> This is the moderated mailing list freebsd-announce.
> The list contains announcements of new FreeBSD capabilities,
> important events and project milestones.
> See also the FreeBSD Web pages at http://www.freebsd.org
>
>
> To Unsubscribe: send mail to majordomo em FreeBSD.org
> with "unsubscribe freebsd-announce" in the body of the message
>
----
Para sair da lista envie um e-mail para majordomo em fugspbr.org
com as palavras "unsubscribe fugspbr" no corpo da mensagem.
Mais detalhes sobre a lista de discussão freebsd