joe -- local exploit

ID DSA-041
Type debian
Reporter Debian
Modified 2001-03-09T00:00:00


Christer Öberg of Wkit Security AB found a problem in joe (Joe's Own Editor). joe will look for a configuration file in three locations: The current directory, the users homedirectory ($HOME) and in /etc/joe. Since the configuration file can define commands joe will run (for example to check spelling) reading it from the current directory can be dangerous: An attacker can leave a .joerc file in a writable directory, which would be read when a unsuspecting user starts joe in that directory.

This has been fixed in version 2.8-15.3 and we recommend that you upgrade your joe package immediately.