Debian Security Advisory
DSA-041-1 joe -- local exploit
- Date Reported:
- 09 Mar 2001
- Affected Packages:
- Security database references:
- In the Bugtraq database (at SecurityFocus): BugTraq ID 2437.
In Mitre's CVE dictionary: CVE-2001-0289.
- More information:
- Christer Öberg of Wkit Security AB found a problem in joe
(Joe's Own Editor). joe will look for a configuration file in three locations:
The current directory, the users homedirectory ($HOME) and in /etc/joe. Since
the configuration file can define commands joe will run (for example to check
spelling) reading it from the current directory can be dangerous: An attacker
can leave a .joerc file in a writable directory, which would be read when a
unsuspecting user starts joe in that directory.
This has been fixed in version 2.8-15.3 and we recommend that you upgrade your joe package immediately.
- Fixed in:
Debian 2.2 (potato)