mailing list archives
Pine security problem
From: lforbes () arsc edu (Liam O. Forbes)
Date: Tue, 10 Sep 1996 17:26:06 -0800
-----BEGIN PGP SIGNED MESSAGE-----
This is in regards to the "fix" of the possible security problem in
Pine < v3.95. Pine 3.95 does indeed check for symbolic links, now, before
creating a mail lock file. However it has the same problem in another part
of the program. I have verified the problem in Pine 3.95 & Pine 3.91 using
Irix 5.3. I'll be looking into it on my Linux home system, but it's probably
While upgrading to the Pine 3.95, it was discovered that the alternate editor
feature creates a file "/tmp/pico.pid" where pid is the id of the active Pine
If you use the alternate editor feature, and a symbolic link exists with the
desired name, the link isn't checked like the mail lock file is, and the editor
dumps everything into the file pointed to by the symbolic link. This can lead
to several possible security breaches via:
1. the ability to mangle a target file.
2. the ability to eavesdrop on composed messages.
3. (if you are really fancy) the ability to set up at least one bogus
.rhosts entry by sending email to someone who responds to email by
quoting entire files.
There are probably several other things that can be done via this /tmp file
problem (and have been).
To see the exact problem:
1. set the editor variable in ~/.pinerc to something like /bin/vi.
2. start up pine
3. do a long listing of /tmp
4. start composing a message in pine, switch to the alternate editor via
5. do another long listing of /tmp
6. That "pico.###" file is the problem. As long as you are running the
current pine session, anyone can create a link with that name and,
at the least, capture whatever you write into your mail message.
Finally, when you exit the alternate editor, it deletes the /tmp file If
it was a link, the link gets deleted. No evidence of tampering remains.
What about using random file names and checking if those exist? The current
fix for the mail lock file seems like the work of a lazy programmer.
Liam Forbes lforbes () arsc edu http://www.arsc.edu/~lforbes
Box 756020 910 Yukon Dr. Suite 106 Fairbanks Ak 99775-6020
907-474-1898 fax: 907-474-5494 finger: Geek code & PGP pub key
High Performance Computing Systems Programmer/Analyst I
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
- Pine security problem Liam O. Forbes (Sep 11)