[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] joe symlink bugs

To: linux-security
Subject: [linux-security] joe symlink bugs
Date: Fri, 24 Nov 2000 11:11:39 -0800 (PST)

Topic
=====
When joe (Joe's Own Editor) dies abnormally it appends its open buffers
to a file "DEADJOE" in an insecure way.

Problem Description
===================
When exiting joe in a nonstandard way (such as a system crash, closing an
xterm, or a network connection going down), joe will unconditionally append
its open  buffers to the file "DEADJOE". This could be exploited by the
creation of DEADJOE symlinks in directories where root would normally use
joe.  In this way, joe could be used to append garbage to
potentially-sensitive files, resulting in a denial of service.

Affected Systems
================
You are affected only, if you are using joe for editing files as root.

Workaround
==========
Don't use joe (until today I didn't even know what this is)

Solution
========
RedHat 6.x
rpm -Fvh joe-2.8-42.62.i386.rpm

RedHat 7.0
rpm -Fvh joe-2.8-43.i386.rpm

Debian
upgrade to joe_2.8-15.1_i386.deb

Mandrake 6.x, 7.0
rpm -Fvh joe-2.8-21.3mdk.i586.rpm

Mandrake 7.1
rpm -Fvh joe-2.8-21.2mdk.i586.rpm

Mandrake 7.2
rpm -Fvh joe-2.8-21.1mdk.i586.rpm

Prev by Date: [linux-security] ncurses vulnerabilities
Next by Date: [linux-security] ghostscript bugs
Prev by thread: [linux-security] ghostscript bugs
Next by thread: [linux-security] ncurses vulnerabilities
Index(es):
- Date
- Thread