Secunia

Secunia Research has discovered two vulnerabilities in Pegasus Mail, which can be exploited by malicious people to compromise a user's system.

1) A boundary error exists when using the reply from a POP3 server to construct trace messages that are displayed to the user if an error occurs when downloading emails. This can be exploited to cause a stack-based buffer overflow via an overly long POP3 reply.

Successful exploitation allows arbitrary code execution but requires that the user is e.g. tricked into connecting to a malicious POP3 server.

2) An off-by-one error exists when displaying the RFC2822 message headers of an email to the user. This can be exploited to overwrite the least significant byte of the saved EBP via a email message header that is 1022 bytes or longer. This allows code execution on a Windows XP system.

Successful exploitation requires that the user is e.g. tricked into viewing the headers of a malicious email via the "Message headers..." menu item in the context menu of the email message.

The vulnerabilities have been confirmed in version 4.21c and 4.30PB1 (Public Beta 1), and also affects version 4.21a and 4.21b.

Solution
Update to version 4.31.
Further details available in Customer Area

Provided and/or discovered by
Tan Chew Keong, Secunia Research.

Original Advisory
Pegasus Mail:
http://www.pmail.com/newsflash.htm#secunia

Secunia Research:
http://secunia.com/secunia_research/2005-61/advisory/

Deep Links
Links available in Customer Area