[LWN Logo]
[LWN.net]
Date:         Tue, 6 Mar 2001 12:08:34 -0800
From: Greg KH <greg@WIREX.COM>
Subject:      Immunix OS Security update for joe
To: BUGTRAQ@SECURITYFOCUS.COM

--PNTmBPCT7hxwcZjr
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline


-----------------------------------------------------------------------
	Immunix OS Security Advisory

Packages updated:	joe
Affected products:	Immunix OS 6.2 and 7.0-beta
Bugs Fixed:		immunix/1329
Date:			March 6, 2001
Advisory ID:		IMNX-2001-70-005-01
Author:			Greg Kroah-Hartman <greg@wirex.com>
-----------------------------------------------------------------------

Description:
  The version of joe shipped in Immunix OS 6.2 and 7.0-beta looks for a
  configuration file in the current working directory, the user's home
  directory and in /etc/joe.  A malicious user could create their own
  .joerc configuration file and try to get other users to use it.  If
  this happens, the user could execute malicious commands with their own
  user id and privilege.  This problem was originally reported by WKIT
  Security AB and more information on it can be found at
  http://www.wkit.com/content/eng/advisories/wsir0202.txt
  
  Immunix 7.0 does not install the joe package by default but provides
  it in the extras/unsupported directory so it is not vulnerable unless
  the joe package has been installed manually by the system
  administrator.
  
  Packages have been created and released that fix this problem.


Package names and locations:

  Precompiled binary package for Immunix 6.2 is available at:
    http://immunix.org/ImmunixOS/6.2/updates/RPMS/joe-2.8-43.62_StackGuard.i386.rpm
  
  Source package for Immunix 6.2 is available at:
    http://immunix.org/ImmunixOS/6.2/updates/SRPMS/joe-2.8-43.62_StackGuard.src.rpm

  Precompiled binary package for Immunix 7.0-beta and 7.0 is available at:
    http://immunix.org/ImmunixOS/7.0/updates/RPMS/joe-2.8-43.7_imnx.i386.rpm
  
  Source package for Immunix 7.0-beta and 7.0 is available at:
    http://immunix.org/ImmunixOS/7.0/updates/SRPMS/joe-2.8-43.7_imnx.src.rpm


md5sums of the packages:
  af4179632fec1a6bf165f3c36323d1ec  joe-2.8-43.62_StackGuard.i386.rpm
  70a5925864e02b8ac3118d20aec97d7f  joe-2.8-43.62_StackGuard.src.rpm
  ae0d34096476456ac3df90358d9b7723  joe-2.8-43.7_imnx.i386.rpm
  5ca9476b3284b9d559dd786ea0c43dca  joe-2.8-43.7_imnx.src.rpm


Online version of all Immunix 6.2 updates and advisories:
  http://immunix.org/ImmunixOS/6.2/updates/

Online version of all Immunix 7.0-beta updates and advisories:
  http://immunix.org/ImmunixOS/7.0-beta/updates/

Online version of all Immunix 7.0 updates and advisories:
  http://immunix.org/ImmunixOS/7.0/updates/

NOTE:
  Ibiblio is graciously mirroring our updates, so if the links above are
  slow, please try:
    ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/
  or one of the many mirrors available at:
    http://www.ibiblio.org/pub/Linux/MIRRORS.html


--PNTmBPCT7hxwcZjr
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6pUPBAl5ylTeuKpURAlneAJ4s/EUf3f6OQCGbz33MKO3Eiz0o2gCgnVLh
H/hgyzKcM2mHHaQJ7jI4Bi8=HD8F
-----END PGP SIGNATURE-----

--PNTmBPCT7hxwcZjr--