Debian Security Advisory
DSA-003-1 joe -- symlink attack
- Date Reported:
- 01 Dec 2000
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2000-1178.
- More information:
- The security fix for joe released on November 22, 2000 had
a problem: it created the DEADJOE file securely but didn't write anything to
it. This has been fixed in version 2.8-15.2.
This is the text from the previous advisory:
When joe (Joe's Own Editor) dies due to a signal instead of a normal exit it saves a list of the files it is editing to a file called `DEADJOE' in its current directory. Unfortunately this wasn't done safely which made joe vulnerable to a symlink attack.
- Fixed in:
Debian 2.2 (potato)