Your message dated Sat, 01 Nov 2008 18:48:20 +0300
with message-id <[EMAIL PROTECTED]>
and subject line Fixed Bug#42631 JOE 3.5-1
has caused the Debian Bug report #42631,
regarding joe prints control characters in filenames without filtering
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
42631: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=42631
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: joe
Version: 2.8-12
Severity: normal
Hi,
if you create a file named ^G (ctrl-g) and open it in joe, you will hear a
beep as the status line is updated; you will also hear it upon exit, when
joe prints the message about not updating the file because it was not
changed.
A malicious user could create a file whose name contains more harmful
control characters and wait for another user to open that file in joe
(perhaps inadvertently; e.g. by using the TAB completion of many shells, or
from a graphical user interface).
I admit this is a long shot, but still: filenames should be filtered and
control characters removed before the name of the file is printed.
This potentially affects many other packages as well. grep is also
vulnerable; I will post a separate report for that package, but currently
I don't have the time to check any others.
Best regards,
--
Andrew Korn (Korn Andras) <[EMAIL PROTECTED]> http://goliat.eik.bme.hu/~korn
Finger [EMAIL PROTECTED] for pgp key. Homepage is obsolete. QOTD:
A little bit of censorship is like being a little bit pregnant.
-- System Information
Debian Release: potato
Kernel Version: Linux utopia 2.2.10-ac12 #59 Fri Jul 23 17:23:40 CEST 1999 i586
unknown
Versions of the packages joe depends on:
ii libc6 2.1.2-0pre1 GNU C Library: Shared libraries and timezone
ii libncurses4 4.2-3.2 Shared libraries for terminal handling
--- End Message ---
--- Begin Message ---
fixed 42631 3.5-1
thanks
[forwarded from]
https://sourceforge.net/tracker/?func=detail&atid=378598&aid=2212257&group_id=23475
Date: 2008-11-01 00:41
Sender: jhallen
This was fixed long ago. JOE 3.5 has this fix.
--- End Message ---
