From owner-freebsd-ports  Wed Feb 28 11:25:38 2001
Delivered-To: freebsd-ports@freebsd.org
Received: from webbie.comstyle.com (mail.comstyle.com [206.172.20.10])
	by hub.freebsd.org (Postfix) with ESMTP id 997F537B718
	for <ports@freebsd.org>; Wed, 28 Feb 2001 11:25:35 -0800 (PST)
	(envelope-from brad@comstyle.com)
Received: from ss5 ([206.172.20.171]) by webbie.comstyle.com
          (Post.Office MTA v3.5.3 release 223 ID# 0-66984U100L100S0V35)
          with ESMTP id com; Wed, 28 Feb 2001 14:27:55 -0500
Date: Wed, 28 Feb 2001 14:25:22 -0500 (EST)
From: Brad <brad@comstyle.com>
To: <BUGTRAQ@SECURITYFOCUS.COM>
Cc: <toasty@dragondata.com>, <ports@freebsd.org>,
	<explorer@netbsd.org>, <tech-pkg@netbsd.org>
Subject: Re: Joe's Own Editor File Handling Error
In-Reply-To: <OF61B9B540.D6BC1630-ONC1256A01.004D1564@wkit.se>
Message-ID: <Pine.BSO.4.33.0102281412380.1599-100000@ss5.comstyle.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=X-UNKNOWN
Content-Transfer-Encoding: QUOTED-PRINTABLE
Sender: owner-freebsd-ports@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

After looking through the patches that OpenBSD/FreeBSD/NetBSD has for
their joe ports, it looks like joe is still vulnerable in the
FreeBSD/NetBSD ports trees, but not in the OpenBSD ports tree as of
Dec 22 1998.

revision 1.3
date: 1998/12/22 03:58:13;  author: form;  state: Exp;  lines: +74 -55
Do not use ./.xxxrc startup file.
Startup files order: ~/.xxxrc, /etc/joe/xxxrc, ${PREFIX}/lib/joe/xxxrc.

// Brad

brad@comstyle.com
brad@openbsd.org

>TITLE:          Joe's Own Editor File Handling Error
>ADVISORY ID:    WSIR-01/02-02
>REFERENCE:      http://www.wkit.com/advisories
>CVE:            GENERIC-MAP-NOMATCH
>CREDIT:         Christer =D6berg, Wkit Security AB
>CONTACT:        advisories@wkit.com
>CLASS:          File Handling Error
>OBJECT:         joe(1) (exec)
>VENDOR:         Josef H. Allen
>STATUS:
>REMOTE:         No
>LOCAL:          Yes
>VULNERABLE:     Joseph Allen joe 2.8
>
>DATE
>  CREATED:        26/02/2001
>  LAST UPDATED:
>  VENDOR CONTACT:
>  RELEASE:        28/02/2001
>
>VULNERABILITY DESCRIPTION
>  joe looks for its configuration file in ./.joerc (CWD), $HOME/.joerc, an=
d
>  /usr/local/lib/joerc in that order. Users could be tricked into execute
>  commands if they open/edit a file with joe in a directory where other
>  users can write.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message