4146239 1999-07-18 05:15 /66 rader/ Postmaster
Mottagare: Bugtraq (import) <6999>
Ärende: joe 2.8 makes world-readable DEADJOE
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.BSI.3.95.990717040216.12080A-100000@blues.jpj.net>
Date: Sat, 17 Jul 1999 05:06:06 -0400
Reply-To: Trevor Johnson <trevor@jpj.net>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Trevor Johnson <trevor@jpj.net>
X-To: sbr <sbr@DIRECT.CA>
X-cc: BUGTRAQ@SECURITYFOCUS.COM, "Joseph H. Allen"
<jhallen@world.std.com>
submit@bugs.debian.org, Cristian Gafton <gafton@redhat.com>
security@redhat.com, andrews@technologist.com
freebsd-gnats-submit@freebsd.org
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <3.0.6.32.19990714143115.00a0cbe0@199.60.228.51>
Package: joe
Version: 2.8-12
I'm just guessing about the Debian version above.
sbr wrote:
> I recently started using a new editor called joe, with this editor there is
> a feature that if your existing session is terminated, it creates a DEADJOE
> in the directory. While editing my shadow file my connection was
> terminated, thus leaving the DEADJOE in my /etc directory that was world
> readable containing my entire shadow file. I think the problem is self
> explanitory. I have emailed the creator and there is no feature to disable
> this that I can find or mentioned in the email. My umask setting does not
> seem to affect the permissions of DEADJOE.
>
> The operating system is Debian Linux 2.1 kernel 2.2.10 i386.
>
> - Spencer.
How-To-Repeat: use joe to edit a file, then kill -HUP its process.
I was able to reproduce this with joe 2.8 under Red Hat
6.0, with either Red Hat's -18 patches or the
FreeBSD-current patches applied, so it looks like FreeBSD
is probably vulnerable too.
Fix: here's a patch against the pristine source, only tested on Red Hat.
Confidential: no
__
Trevor Johnson
--- b.c.orig Fri Jan 20 00:38:25 1995
+++ b.c Sat Jul 17 01:54:09 1999
@@ -21,6 +21,7 @@
#include <pwd.h>
#endif
#include <errno.h>
+#include <sys/types.h>
#include "config.h"
#include "blocks.h"
@@ -1990,6 +1991,7 @@
{
long tim=time(0);
B *b;
+ mode_t mask=umask (077); /* no access to DEADJOE for others */
FILE *f=fopen("DEADJOE","a");
fprintf(f,"\n*** Modified files in JOE when it aborted on %s",ctime(&tim));
if(sig) fprintf(f,"*** JOE was aborted by signal %d\n",sig);
(4146239) -----------------------------------