Debian Security Advisory
DSA-041-1 joe -- local exploit
- Date Reported:
- 09 Mar 2001
- Affected Packages:
- joe
- Vulnerable:
- Yes
- Security database references:
- In the Bugtraq database (at SecurityFocus): BugTraq ID 2437.
In Mitre's CVE dictionary: CVE-2001-0289. - More information:
- Christer Öberg of Wkit Security AB found a problem in joe
(Joe's Own Editor). joe will look for a configuration file in three locations:
The current directory, the users homedirectory ($HOME) and in /etc/joe. Since
the configuration file can define commands joe will run (for example to check
spelling) reading it from the current directory can be dangerous: An attacker
can leave a .joerc file in a writable directory, which would be read when a
unsuspecting user starts joe in that directory.
This has been fixed in version 2.8-15.3 and we recommend that you upgrade your joe package immediately.
- Fixed in:
-
Debian 2.2 (potato)
- Source:
-
http://security.debian.org/dists/stable/updates/main/source/joe_2.8-15.3.diff.gz
-
http://security.debian.org/dists/stable/updates/main/source/joe_2.8-15.3.dsc
-
http://security.debian.org/dists/stable/updates/main/source/joe_2.8.orig.tar.gz
- alpha:
-
http://security.debian.org/dists/stable/updates/main/binary-alpha/joe_2.8-15.3_alpha.deb
- arm:
-
http://security.debian.org/dists/stable/updates/main/binary-arm/joe_2.8-15.3_arm.deb
- i386:
-
http://security.debian.org/dists/stable/updates/main/binary-i386/joe_2.8-15.3_i386.deb
- m68k:
-
http://security.debian.org/dists/stable/updates/main/binary-m68k/joe_2.8-15.3_m68k.deb
- powerpc:
-
http://security.debian.org/dists/stable/updates/main/binary-powerpc/joe_2.8-15.3_powerpc.deb
- sparc:
-
http://security.debian.org/dists/stable/updates/main/binary-sparc/joe_2.8-15.3_sparc.deb