Re: Bug#77257: FWD: Joe's Own Editor File Link Vulnerability

[Colin Phipps <cph@netcraft.com>]

On Fri, Nov 17, 2000 at 03:26:04PM +0100, Josip Rodin wrote:
> On Thu, Nov 16, 2000 at 11:21:15PM -0800, Joey Hess wrote:
> > Package: joe
> > Version: 2.8
> > Severity: important
> > 
> >  FILE *f=fopen("DEADJOE","a");
> > 
> > Looks vulnerable indeed. Amusingly Debian has already patched right
> > abve this line to not make the DEADJOE file mode 755, to prevent
> > sensitive data (/etc/shadow) leakage. We were so close..

> The fix would be to use open(2) and set the O_EXCL flag so it bails out?

A fix, but it breaks the intended behaviour ("a" for append IIRC). Putting 
DEADJOE in $HOME might be a nicer solution?

Unfortunately most editors are vulnerable to problems like this (indeed, 
most are far more serious than this). I submitted patches for similar problems 
in vim to the upstream just a few weeks ago, for instance; jed also had similar 
problems (bug #51213). And those are just the ones I've used...

-- 
Colin Phipps                            http://www.netcraft.com/