30031 – joe tries to use ./.joerc

Bug 30031 - joe tries to use ./.joerc

Summary: joe tries to use ./.joerc

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	joe
Sub Component:
Version:	7.0
Hardware:	i386
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	---
Assignee:	Trond Eivind Glomsrxd
QA Contact:	David Lawrence
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2001-02-28 17:21 UTC by Pekka Savola
Modified:	2014-01-21 22:48 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2001-02-28 17:21:48 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2001:024	0	normal	SHIPPED_LIVE	: Updated joe packages are available for Red Hat Linux 5.2, 6.x and 7.	2001-02-28 05:00:00 UTC

Description Pekka Savola 2001-02-28 17:21:43 UTC

As per:

---
Date: Wed, 28 Feb 2001 15:13:42 +0100
From: advisories
To: BUGTRAQ
Subject: Joe's Own Editor File Handling Error
---

Joe tries to use ./.joerc for it's configuration file.  If joe is used in a world-writable
directory, attacker can create .joerc there with malicious definitions that may
lead to to local user login (/root if root uses joe) compromise.

Don't they ever learn...

Comment 1 Trond Eivind Glomsrxd 2001-02-28 22:15:05 UTC

Doh. Stuuuupid people. (not that any non-newbie would use joe on a regular basis
anyway). Fixed in joe-2.8-44.

Comment 2 Seth Vidal 2001-03-01 06:36:58 UTC

this should really be a fix that gets pushed out to 6.X and 7.0 - its a dumb
error but it could be exploited and I know (I am) a person who uses joe all the
time.

course - I've already patched my joe rpm :)

-sv

Comment 3 Trond Eivind Glomsrxd 2001-03-01 07:01:41 UTC

I've already made rpms and an errata request for 5.2, 6.2 and 7.

Note You need to log in before you can comment on or make changes to this bug.