Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Pine 4.44 Privacy Patch

0 views
Skip to first unread message

Roger Marquis

unread,
Jun 7, 2002, 6:06:51 PM6/7/02
to

Problem description:

The Pine email client allows users to define the "From:"
address independent of their Unix username. This is an
indispensable feature for help desks and other role accounts.

Unfortunately, user names and/or ids can still be leaked due to
Pine's insertion of "Sender:" and/or "X-Sender:" headers. Pine
versions earlier than 4.44 may also insert the Unix username
into other envelope and header fields.

Solution:

Applying the following patch to pine 4.4 will cause
{X-}Sender: headers to be omitted. Users may also need to
define a remote "smtp-server" to prevent certain local MTAs
from inserting this information. Other details on changing
Pine's "From:" line are detailed in the FAQ at:

http://www.washington.edu/pine/faq/config.html#9.5

To apply this patch, download the source code from:

ftp://ftp.cac.washington.edu/pine/

Unpack (tar xzvf ...) and cd into the source directory, apply
the patch (patch < patch_file_name) and recompile per the
documentation.

Disclaimers:

This patch has been tested under Solaris and FreeBSD operating
systems using the gcc compiler, however, no warranty is made
regarding its accuracy or reliability. Use it at your own
risk.

Pine and Pico are registered trademarks of the University of
Washington. No commercial use of these trademarks may be made
without prior written permission of the University of
Washington. Pine, Pico, and Pilot software and its included
text are Copyright 1989-2002 by the University of Washington.

--
Roger Marquis
Roble Systems Consulting
http://www.roble.com/


--------------------------------------------------------------------
--- pine/send.c.orig Tue Jan 8 12:59:37 2002
+++ pine/send.c Sat Mar 9 09:17:08 2002
@@ -3989,12 +3989,15 @@

outgoing->return_path = rfc822_cpy_adr(outgoing->from);

+
/*
* Don't ever believe the sender that is there.
* If From doesn't look quite right, generate our own sender.
*/
+ /**** fix u-washington anti-privacy loophole
if(outgoing->sender)
mail_free_address(&outgoing->sender);
+ /****

/*
* If the LHS of the address doesn't match, or the RHS
@@ -4003,6 +4006,7 @@
*
* Don't add a personal_name since the user can change that.
*/
+ /**** fix u-washington anti-privacy loophole
if(!outgoing->from
|| !outgoing->from->mailbox
|| strucmp(outgoing->from->mailbox, ps_global->VAR_USER_ID) != 0
@@ -4014,6 +4018,7 @@
outgoing->sender->mailbox = cpystr(ps_global->VAR_USER_ID);
outgoing->sender->host = cpystr(ps_global->hostname);
}
+ /****

/*----- Message is edited, now decide what to do with it ----*/
if(editor_result & (COMP_SUSPEND | COMP_GOTHUP | COMP_CANCEL)){
--------------------------------------------------------------------

NOSPAM

unread,
Jun 10, 2002, 7:18:39 PM6/10/02
to
I don't get this patch. Unless I am missing something about the patch found
on the original of this post, it looks like the patch is only adding
comment lines tot he original pine/send.c file. Can anyone out here confirm
this?

Eduardo Chappa

unread,
Jun 10, 2002, 7:34:19 PM6/10/02
to
*** NOSPAM (Please...@NOSPAM.dynDNS.biz) wrote in comp.mail.pine today:

:) I don't get this patch. Unless I am missing something about the patch
:) found on the original of this post, it looks like the patch is only
:) adding comment lines tot he original pine/send.c file. Can anyone out
:) here confirm this?

Yes, but it is commenting "out" some code. It's the same as if the person
had removed the piece of code enclosed between "/*" and "*/".

--
Eduardo
http://www.math.washington.edu/~chappa/pine/

NOSPAM

unread,
Jun 11, 2002, 12:01:54 AM6/11/02
to
Eduardo Chappa wrote:

> *** NOSPAM (Please...@NOSPAM.dynDNS.biz) wrote in comp.mail.pine
> today:
>
> :) I don't get this patch. Unless I am missing something about the patch
> :) found on the original of this post, it looks like the patch is only
> :) adding comment lines tot he original pine/send.c file. Can anyone out
> :) here confirm this?
>
> Yes, but it is commenting "out" some code. It's the same as if the person
> had removed the piece of code enclosed between "/*" and "*/".
>

Thanks for pointing that out. What was my brain thinking, c++ comment lines?

NOSPAM

unread,
Jun 11, 2002, 9:48:14 AM6/11/02
to
This is awesome. I tried to put in "localhost" and the patch really removed
all the sender identity and replaced it with the one I assigned. Should I
put something else in the "smtp-server", besides "localhost"?

BTW, is there a way to remove the "Message-ID" through the .pinerc? If not,
it would certainly be better if someone can create another patch to remove
the "Message-ID" from the mail sent. That way, there is not trace at all to
where the e-mail comes from ... ;^)

a user

unread,
Jun 11, 2002, 11:26:11 AM6/11/02
to
In article <ycnN8.160367$cQ3.4424@sccrnsc01>, NOSPAM wrote:
> This is awesome. I tried to put in "localhost" and the patch really removed
> all the sender identity and replaced it with the one I assigned. Should I
> put something else in the "smtp-server", besides "localhost"?
>
> BTW, is there a way to remove the "Message-ID" through the .pinerc? If not,
> it would certainly be better if someone can create another patch to remove
> the "Message-ID" from the mail sent. That way, there is not trace at all to
> where the e-mail comes from ... ;^)
>

But will the email still get thru if the remote checks for a valid
domain name?


--

0 new messages