Bug 30031 - joe tries to use ./.joerc
Summary: joe tries to use ./.joerc
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: joe   
(Show other bugs)
Version: 7.0
Hardware: i386
OS: Linux
high
medium
Target Milestone: ---
Assignee: Trond Eivind Glomsrxd
QA Contact: David Lawrence
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2001-02-28 17:21 UTC by Pekka Savola
Modified: 2014-01-21 22:48 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-02-28 17:21:48 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2001:024 normal SHIPPED_LIVE : Updated joe packages are available for Red Hat Linux 5.2, 6.x and 7. 2001-02-28 05:00:00 UTC

Description Pekka Savola 2001-02-28 17:21:43 UTC
As per:

---
Date: Wed, 28 Feb 2001 15:13:42 +0100
From: advisories@WKIT.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Joe's Own Editor File Handling Error
---

Joe tries to use ./.joerc for it's configuration file.  If joe is used in a world-writable
directory, attacker can create .joerc there with malicious definitions that may
lead to to local user login (/root if root uses joe) compromise.

Don't they ever learn...

Comment 1 Trond Eivind Glomsrxd 2001-02-28 22:15:05 UTC
Doh. Stuuuupid people. (not that any non-newbie would use joe on a regular basis
anyway). Fixed in joe-2.8-44.



Comment 2 Seth Vidal 2001-03-01 06:36:58 UTC
this should really be a fix that gets pushed out to 6.X and 7.0 - its a dumb
error but it could be exploited and I know (I am) a person who uses joe all the
time.

course - I've already patched my joe rpm :)

-sv


Comment 3 Trond Eivind Glomsrxd 2001-03-01 07:01:41 UTC
I've already made rpms and an errata request for 5.2, 6.2 and 7.


Note You need to log in before you can comment on or make changes to this bug.