Is there a “remote exploit” bug in Pines handling of mailcap entries?
Many people have inquired about a recent widely-distributed message describing a “remote exploit in pine,” specifically, a “vulnerability in the metamail package used with pine” and a claim that the “`” character “is incorrectly expanded by pine.” We believe the following to be true: • There is indeed a vulnerability in the default mailcap file distributed with the popular metamail MIME-support package. • This same mailcap file has in the past been included in Pine distributions as a sample; however, this sample file is not used by Pine unless it is manually installed and renamed. • While the metamail package can be used with Pine, Pine does not require the installation of metamail. • If a site chooses to install metamail, they should definitely expunge the dangerous entries from the default mailcap file. A corrected mailcap file is available. • If correcting the system mailcap file is not immediately possible, users may wish to set Pine’s “mailcap-search-path” variable to a personal m
