joe 2.8 makes world-readable DEADJOE

[trevor () JPJ NET (Trevor Johnson)]

Package: joe
Version: 2.8-12

I'm just guessing about the Debian version above.

sbr wrote:

> I recently started using a new editor called joe, with this editor there is
> a feature that if your existing session is terminated, it creates a DEADJOE
> in the directory.  While editing my shadow file my connection was
> terminated, thus leaving the DEADJOE in my /etc directory that was world
> readable containing my entire shadow file.  I think the problem is self
> explanitory.  I have emailed the creator and there is no feature to disable
> this that I can find or mentioned in the email.  My umask setting does not
> seem to affect the permissions of DEADJOE.
>
> The operating system is Debian Linux 2.1 kernel 2.2.10 i386.
>
>       - Spencer.

How-To-Repeat:  use joe to edit a file, then kill -HUP its process.
                I was able to reproduce this with joe 2.8 under Red Hat
                6.0, with either Red Hat's -18 patches or the
                FreeBSD-current patches applied, so it looks like FreeBSD
                is probably vulnerable too.
Fix:  here's a patch against the pristine source, only tested on Red Hat.
Confidential:  no
__
Trevor Johnson

--- b.c.orig    Fri Jan 20 00:38:25 1995
+++ b.c Sat Jul 17 01:54:09 1999
@@ -21,6 +21,7 @@
 #include <pwd.h>
 #endif
 #include <errno.h>
+#include <sys/types.h>

 #include "config.h"
 #include "blocks.h"
@@ -1990,6 +1991,7 @@
  {
  long tim=time(0);
  B *b;
+ mode_t mask=umask (077); /* no access to DEADJOE for others */
  FILE *f=fopen("DEADJOE","a");
  fprintf(f,"\n*** Modified files in JOE when it aborted on %s",ctime(&tim));
  if(sig) fprintf(f,"*** JOE was aborted by signal %d\n",sig);