Bugtraq mailing list archives
joe 2.8 makes world-readable DEADJOE
From: trevor () JPJ NET (Trevor Johnson)
Date: Sat, 17 Jul 1999 05:06:06 -0400
Package: joe Version: 2.8-12 I'm just guessing about the Debian version above. sbr wrote:
I recently started using a new editor called joe, with this editor there is a feature that if your existing session is terminated, it creates a DEADJOE in the directory. While editing my shadow file my connection was terminated, thus leaving the DEADJOE in my /etc directory that was world readable containing my entire shadow file. I think the problem is self explanitory. I have emailed the creator and there is no feature to disable this that I can find or mentioned in the email. My umask setting does not seem to affect the permissions of DEADJOE. The operating system is Debian Linux 2.1 kernel 2.2.10 i386. - Spencer.
How-To-Repeat: use joe to edit a file, then kill -HUP its process. I was able to reproduce this with joe 2.8 under Red Hat 6.0, with either Red Hat's -18 patches or the FreeBSD-current patches applied, so it looks like FreeBSD is probably vulnerable too. Fix: here's a patch against the pristine source, only tested on Red Hat. Confidential: no __ Trevor Johnson --- b.c.orig Fri Jan 20 00:38:25 1995 +++ b.c Sat Jul 17 01:54:09 1999 @@ -21,6 +21,7 @@ #include <pwd.h> #endif #include <errno.h> +#include <sys/types.h> #include "config.h" #include "blocks.h" @@ -1990,6 +1991,7 @@ { long tim=time(0); B *b; + mode_t mask=umask (077); /* no access to DEADJOE for others */ FILE *f=fopen("DEADJOE","a"); fprintf(f,"\n*** Modified files in JOE when it aborted on %s",ctime(&tim)); if(sig) fprintf(f,"*** JOE was aborted by signal %d\n",sig);
Current thread:
- Re: L0pht 'Domino' Vulnerability is alive and well, (continued)
- Re: L0pht 'Domino' Vulnerability is alive and well Ryan Thomas Tecco (Jul 09)
- Communicator 4.[56]x, JavaScript used to bypass cookie settings Peter W (Jul 09)
- (no subject) Anonymous (Jul 09)
- Re: your mail Darren Reed (Jul 12)
- Navigator cookie security Oliver Lineham (Jul 09)
- Re: Communicator 4.[56]x, JavaScript used to bypass cookie settings Claudio Telmon (Jul 13)
- Solaris 2.6/7 NTP permissions problem john_smith () RD QMS COM (Jul 14)
- Privacy concerns in interMute John Temples (Jul 16)
- Re: Solaris 2.6/7 NTP permissions problem Casper Dik (Jul 16)
- (no subject) sbr (Jul 14)
- joe 2.8 makes world-readable DEADJOE Trevor Johnson (Jul 17)
- Re: your mail hal (Jul 19)