Date: Mon, 5 Mar 2001 13:14:15 -0600 (CST) From: Kevin Day <toasty@temphost.dragondata.com> To: ports@freebsd.org Subject: Joe security patch Message-ID: <200103051914.NAA29621@temphost.dragondata.com>
next in thread | raw e-mail | index | archive | help
The patch introduced to fix a bug in joe (which was posted to bugtraq) breaks my current development environment, since the inclusion of .joerc in the path is important for (i'm guessing) many people using joe in large build trees. Can someone review this instead of the OpenBSD method? Kevin (joe's maintainer) --- main.c.orig Mon Mar 5 12:38:48 2001 +++ main.c Mon Mar 5 13:05:37 2001 @@ -21,6 +21,8 @@ #ifdef __FreeBSD__ #include <locale.h> #include <ctype.h> +#include <sys/types.h> +#include <sys/stat.h> #endif #include "config.h" #include "w.h" @@ -172,6 +174,7 @@ int omid; int backopt; int c; + struct stat sb; mainenv=envv; @@ -255,6 +258,14 @@ s=vsncpy(NULL,0,sc(".")); s=vsncpy(sv(s),sv(run)); s=vsncpy(sv(s),sc("rc")); + if ((stat(s,&sb)==0) && (sb.st_uid!=geteuid())) + { + char buf[8]; + fprintf(stderr,"'%s' exists and is not owned by you. This may be a security risk! Use it anyway?",s); + fflush(stderr); + fgets(buf,8,stdin); + if(buf[0]!='y' && buf[0]!='Y') goto skiplocaldir; + } c=procrc(cap,s); if(c==0) goto donerc; if(c==1) @@ -266,6 +277,7 @@ if(buf[0]=='y' || buf[0]=='Y') goto donerc; } + skiplocaldir: vsrm(s); s=getenv("HOME"); if(s) @@ -383,7 +395,7 @@ maint->curwin=maint->topwin; if(help) helpon(maint); if(!nonotice) - msgnw(lastw(maint)->object,"\\i** Joe's Own Editor v2.8l ** Copyright (C) 1995 Joseph H. Allen **\\i"); + msgnw(lastw(maint)->object,"\\i** Joe's Own Editor v2.8lr ** Copyright (C) 1995 Joseph H. Allen **\\i"); edloop(0); vclose(vmem); nclose(n); To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200103051914.NAA29621>