Debian Security Advisory
DSA-003-1 joe -- symlink attack
- Date Reported:
- 01 Dec 2000
- Affected Packages:
- joe
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2000-1178.
- More information:
- The security fix for joe released on November 22, 2000 had
a problem: it created the DEADJOE file securely but didn't write anything to
it. This has been fixed in version 2.8-15.2.
This is the text from the previous advisory:
When joe (Joe's Own Editor) dies due to a signal instead of a normal exit it saves a list of the files it is editing to a file called `DEADJOE' in its current directory. Unfortunately this wasn't done safely which made joe vulnerable to a symlink attack.
- Fixed in:
-
Debian 2.2 (potato)
- Source:
-
http://security.debian.org/dists/stable/updates/main/source/joe_2.8-15.2.diff.gz
-
http://security.debian.org/dists/stable/updates/main/source/joe_2.8-15.2.dsc
-
http://security.debian.org/dists/stable/updates/main/source/joe_2.8.orig.tar.gz
- alpha:
-
http://security.debian.org/dists/stable/updates/main/binary-alpha/joe_2.8-15.2_alpha.deb
- arm:
-
http://security.debian.org/dists/stable/updates/main/binary-arm/joe_2.8-15.2_arm.deb
- i386:
-
http://security.debian.org/dists/stable/updates/main/binary-i386/joe_2.8-15.2_i386.deb
- m68k:
-
http://security.debian.org/dists/stable/updates/main/binary-m68k/joe_2.8-15.2_m68k.deb
- powerpc:
-
http://security.debian.org/dists/stable/updates/main/binary-powerpc/joe_2.8-15.2_powerpc.deb
- sparc:
-
http://security.debian.org/dists/stable/updates/main/binary-sparc/joe_2.8-15.2_sparc.deb