[UNIX] Pine Privacy Patch

From: support@securiteam.com
Date: 06/09/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Sun,  9 Jun 2002 07:59:34 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Pine Privacy Patch
------------------------------------------------------------------------

SUMMARY

The Pine email client allows users to define the "From:" address
independent of their UNIX username. This is an indispensable feature for
help desks and other role accounts.

Unfortunately, user names and/or ids can still be leaked due to Pine's
insertion of "Sender:" and/or "X-Sender:" headers. Pine versions earlier
than 4.44 may also insert the UNIX username into other envelope and header
fields.

DETAILS

Vulnerable systems:
Pine versions earlier than 4.44

Solution:
Applying the following patch to pine 4.4 will cause {X-}Sender: headers
to be omitted. Users may also need to define a remote "smtp-server" to
prevent certain local MTAs from inserting this information. Other details
on changing Pine's "From:" lines are detailed in the FAQ at:
 <http://www.washington.edu/pine/faq/config.html#9.5>
http://www.washington.edu/pine/faq/config.html#9.5

To apply this patch, download the source code from:
<ftp://ftp.cac.washington.edu/pine/> ftp://ftp.cac.washington.edu/pine/

Unpack (tar xzvf ...) and cd into the source directory, apply the patch
(patch < patch_file_name) and recompile per the documentation.

--------------------------------------------------------------------
--- pine/send.c.orig Tue Jan 8 12:59:37 2002
+++ pine/send.c Sat Mar 9 09:17:08 2002
@@ -3989,12 +3989,15 @@

  outgoing->return_path = rfc822_cpy_adr(outgoing->from);

+
  /*
  * Don't ever believe the sender that is there.
  * If From doesn't look quite right, generate our own sender.
  */
+ /**** fix u-washington anti-privacy loophole
  if(outgoing->sender)
    mail_free_address(&outgoing->sender);
+ /****

  /*
  * If the LHS of the address doesn't match, or the RHS
@@ -4003,6 +4006,7 @@
  *
  * Don't add a personal_name since the user can change that.
  */
+ /**** fix u-washington anti-privacy loophole
  if(!outgoing->from
     || !outgoing->from->mailbox
     || strucmp(outgoing->from->mailbox, ps_global->VAR_USER_ID) != 0
@@ -4014,6 +4018,7 @@
      outgoing->sender->mailbox = cpystr(ps_global->VAR_USER_ID);
      outgoing->sender->host = cpystr(ps_global->hostname);
  }
+ /****

         /*----- Message is edited, now decide what to do with it ----*/
  if(editor_result & (COMP_SUSPEND | COMP_GOTHUP | COMP_CANCEL)){
--------------------------------------------------------------------

ADDITIONAL INFORMATION

The information has been provided by <mailto:marquis@roble.com> Roger
Marquis.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages