Date: Fri, 8 Dec 2000 17:56:40 -0200
Subject: [CLA-2000:356] Conectiva Linux Security Announcement -
CONECTIVA LINUX SECURITY ANNOUNCEMENT
PACKAGE : joe
SUMMARY : Symlink attack
DATE : 2000-12-08 17:56:00
ID : CLA-2000:356
RELEASES : 4.0, 4.0es, 4.1, 4.2, 5.0, prg gráficos, ecommerce, 5.1, 6.0
DESCRIPTION "joe" is a small text editor which is also shipped
with Conectiva Linux. If joe is closed in a non-standard way (such
as receiving an external TERM signal), it will create a file called
DEADJOE in the directory where it was called from. If this file is
a symbolic link, it will be followed. An attacker could create a
symbolic link called DEADJOE in a directory and link it to
sensitive system files. If the root user runs joe from that
directory, and the program exits abnormally, it would add data to
this sensitive file, probably corrupting it.
All users of the joe editor should upgrade.
Users of Conectiva Linux version 6.0 or higher may use apt to
- add the following line to /etc/apt/sources.list if it is not
there yet (you may also use linuxconf to do this):
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.