Christer Öberg of Wkit Security AB found a problem in joe (Joe's Own Editor). joe will look for a configuration file in three locations: The current directory, the users homedirectory ($HOME) and in /etc/joe. Since the configuration file can define commands joe will run (for example to check spelling) reading it from the current directory can be dangerous: An attacker can leave a .joerc file in a writable directory, which would be read when a unsuspecting user starts joe in that directory. This has been fixed in version 2.8-15.3 and we recommend that you upgrade your joe package immediately.
This has been fixed in version 2.8-15.3 and we recommend that you upgrade your joe package immediately.