Date: Fri, 9 Mar 2001 03:10:07 +0100
From: Wichert Akkerman wichert@cistron.nl
To: debian-security-announce@lists.debian.org
Subject: [SECURITY] [DSA-041-1] joe local attack via joerc
Debian Security Advisory DSA-041-1 security@debian.org
http://www.debian.org/security/ Wichert Akkerman
March 9, 2001
Package : joe
Problem type : local exploit
Debian-specific: no
Christer Öberg of Wkit Security AB found a problem in joe
(Joe’s Own Editor). joe will look for a configuration file in three
locations: the current directory, the users homedirectory ($HOME)
and in /etc/joe. Since the configuration file can define commands
joe will run (for example to check spelling) reading it from the
current directory can be dangerous: an attacker can leave a .joerc
file in a writable directory, which would be read when a
unsuspecting user starts joe in that directory.
This has been fixed in version 2.8-15.3 and we recommend that
you upgrade your joe package immediately.
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
Debian GNU/Linux 2.2 alias potato
Potato was released for alpha, arm, i386, m68k, powerpc and
sparc.
Source archives:
http://security.debian.org/dists/stable/updates/main/source/joe_2.8-15.3.diff.gz
MD5 checksum: cd6b006c8a2426ada62a6af1ddd001fe
http://security.debian.org/dists/stable/updates/main/source/joe_2.8-15.3.dsc
MD5 checksum: 4f3b3a027cd8baf4c3b1a282b31cb5ed
http://security.debian.org/dists/stable/updates/main/source/joe_2.8.orig.tar.gz
MD5 checksum: 84c1aebfce7876b8639945da3c29f204
Alpha architecture:
http://security.debian.org/dists/stable/updates/main/binary-alpha/joe_2.8-15.3_alpha.deb
MD5 checksum: bb4f2753fa7b05f5877b7bad353ac7a4
ARM architecture:
http://security.debian.org/dists/stable/updates/main/binary-arm/joe_2.8-15.3_arm.deb
MD5 checksum: 179c212d01bfaa898259028ce06a24a8
Intel ia32 architecture:
http://security.debian.org/dists/stable/updates/main/binary-i386/joe_2.8-15.3_i386.deb
MD5 checksum: 39f680f8fde72d0958431f617e774123
Motorola 680×0 architecture:
http://security.debian.org/dists/stable/updates/main/binary-m68k/joe_2.8-15.3_m68k.deb
MD5 checksum: 100db16eb2ff8aa43840cdde49d9b5a9
PowerPC architecture:
http://security.debian.org/dists/stable/updates/main/binary-powerpc/joe_2.8-15.3_powerpc.deb
MD5 checksum: 425019054e7eb9b104e96ff351132bf3
Sun Sparc architecture:
http://security.debian.org/dists/stable/updates/main/binary-sparc/joe_2.8-15.3_sparc.deb
MD5 checksum: 8f88ab48a61c0c9f5e955fdf0fc79d4e
These files will be moved into ftp://ftp.debian.org/debian/dists/stable/*/binary-$arch/
soon.
For not yet released architectures please refer to the
appropriate directory ftp://ftp.debian.org/debian/dists/sid/binary-$arch/
.
For apt-get: deb http://security.debian.org/
stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security
dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>’ and http://packages.debian.org/<pkg>
Web Webster has more than 20 years of writing and editorial experience in the tech sector. He’s written and edited news, demand generation, user-focused, and thought leadership content for business software solutions, consumer tech, and Linux Today, he edits and writes for a portfolio of tech industry news and analysis websites including webopedia.com, and DatabaseJournal.com.
LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.