Hi all, there's a minor problem with the popular opensource editor 'joe' (http://sourceforge.net/projects/joe-editor/). The way how joe handles backup files may create unwanted suid files. Example situation: (1) unprivileged user creates some file and puts suid bit on it: trtko$ ls -l suid.file* -rwsr-sr-x 1 trtko trtko 68 Sep 17 19:57 suid.file (2) root goes and opens, edits and closes the file in 'joe'. (3) now look: trtko$ ls -l suid.file* -rwsr-sr-x 1 trtko trtko 68 Sep 17 19:57 suid.file -rwsr-sr-x 1 root root 68 Sep 17 19:58 suid.file~ Oops, root owned suid file was unintentionally created. This is a low risk since successful attack would require some sort of social engineering in making the administrator edit attackers file. Also some systems (Linux) won't let you have suid scripts, so you would have to make the root edit some compiled executable, or you would have to use some other tricks maybe... Maybe it's even not exploitable at all. Either way, having such unnecessary suid files generally isn't a good idea, I believe. (Project maintainers were contacted and have fixed the issue in the CVS version.) Have a nice day Ondrej -- Ondrej Suchy <ondrej-bugtraq@qlinux.cz>
