The pine team are being _very careful_, they belive pine 4 to be "OK" but
are not taking chances, mutt had a very major buffer overflow problem with
published exploit etc.
--
Alan Thew alan.thew@???
Computing Services,University of Liverpool Fax: +44 151 794-4442
On Thu, 13 Aug 1998 patl@??? wrote:
> > patl@??? probably said:
> > > Furthermore, the problem appears to only affect MUAs for various
> > > flavors of Windows. Apparently the faulty programs assume that
> > > the filenames specified will be legal FAT/VFAT/NTFS/... constructs
> > > with no single component exceeding the OS' name length restrictions.
> > > (E.g. 8.3 for Windows 3.x/FAT) Unix programs tend to be much more
> > > liberal in the filenames they expect. (I don't know about Macs,
> > > AmigaDOS or other OSes. I suspect that most of them are a small
> > > enough segment of the market that they aren't even targetted.)
> >
> > Not true - both pine and mutt were two examples of unix programs that were
> > vunerable.
>
> Hmm. All the discussions I'd seen only mentioned Windows clients.
>
> I can't say I'm really surprised though. C practically invites
> this sort of error; and few engineers have the discipline to really
> program defensively.
>
>
> In any case, it isn't the responsibility of the MTA to protect MUAs
> from message bodies that comply with RFC822 but happen to tickle
> MUA implementation bugs. Or even from messages that comply with
> RFC822 but not with any of the various MIME-related RFCs.
>
> That being said; perhaps we could publish the Exim-filter equivalent
> of the procmail/perl hack; along with any info known about which
> client versions are vulnerable and where to look for client fixes.
>
>
>
> -Pat
>
> --
> *** Exim information can be found at http://www.exim.org/ ***
>
--
*** Exim information can be found at
http://www.exim.org/ ***
