Report forwarded to debian-bugs-dist@lists.debian.org, Dale Scheetz <dwarf@polaris.net>:
Bug#42631; Package joe.   debian-bugs-dist@lists.debian.orgDale Scheetz  Subject: Bug#42631: joe: Potential security risk: control characters in filenames are printed without filtering. Reply-To: korn@eik.bme.hu, 42631@bugs.debian.org Resent-From: korn@eik.bme.hu Resent-To: debian-bugs-dist@lists.debian.org Resent-CC: Dale Scheetz Resent-Date: Sat, 07 Aug 1999 21:33:09 GMT Resent-Message-ID: Resent-Sender: iwj@debian.org X-Debian-PR-Message: report 42631 X-Debian-PR-Package: joe X-Debian-PR-Keywords: X-Loop: owner@bugs.debian.org Received: via spool by bugs@bugs.debian.org id=B.93406099023807 (code B ref -1); Sat, 07 Aug 1999 21:33:09 GMT Date: 7 Aug 1999 21:17:46 -0000 Message-ID: <19990807211746.6542.qmail@utopia> From: korn@eik.bme.hu To: submit@bugs.debian.org X-Mailer: bug 3.2.2 Package: joe Version: 2.8-12 Severity: normal Hi, if you create a file named ^G (ctrl-g) and open it in joe, you will hear a beep as the status line is updated; you will also hear it upon exit, when joe prints the message about not updating the file because it was not changed. A malicious user could create a file whose name contains more harmful control characters and wait for another user to open that file in joe (perhaps inadvertently; e.g. by using the TAB completion of many shells, or from a graphical user interface). I admit this is a long shot, but still: filenames should be filtered and control characters removed before the name of the file is printed. This potentially affects many other packages as well. grep is also vulnerable; I will post a separate report for that package, but currently I don't have the time to check any others. Best regards, -- Andrew Korn (Korn Andras) http://goliat.eik.bme.hu/~korn Finger korn@goliat.eik.bme.hu for pgp key. Homepage is obsolete. QOTD: A little bit of censorship is like being a little bit pregnant. -- System Information Debian Release: potato Kernel Version: Linux utopia 2.2.10-ac12 #59 Fri Jul 23 17:23:40 CEST 1999 i586 unknown Versions of the packages joe depends on: ii libc6 2.1.2-0pre1 GNU C Library: Shared libraries and timezone ii libncurses4 4.2-3.2 Shared libraries for terminal handling   Acknowledgement sent to korn@eik.bme.hu:
New bug report received and forwarded. Copy sent to Dale Scheetz <dwarf@polaris.net>.   -t  From: owner@bugs.debian.org (Debian Bug Tracking System) To: korn@eik.bme.hu Subject: Bug#42631: Acknowledgement (joe: Potential security risk: control characters in filenames are printed without filtering.) Message-ID: In-Reply-To: <19990807211746.6542.qmail@utopia> References: <19990807211746.6542.qmail@utopia> X-Debian-PR-Message: ack 42631 Thank you for the problem report you have sent regarding Debian. This is an automatically generated reply, to let you know your message has been received. It is being forwarded to the developers' mailing list for their attention; they will reply in due course. Your message has been sent to the package maintainer(s): Dale Scheetz If you wish to submit further information on your problem, please send it to 42631@bugs.debian.org (and *not* to bugs@bugs.debian.org). Please do not reply to the address at the top of this message, unless you wish to report a problem with the bug-tracking system. Ian Jackson (administrator, Debian bugs database)   Received: (at submit) by bugs.debian.org; 7 Aug 1999 21:23:10 +0000 Received: (qmail 23803 invoked from network); 7 Aug 1999 21:23:09 -0000 Received: from chardonnay.math.bme.hu (qmailr@152.66.83.144) by master.debian.org with SMTP; 7 Aug 1999 21:23:09 -0000 Received: (qmail 9958 invoked from network); 7 Aug 1999 21:23:04 -0000 Received: from line56.dial.bme.hu (qmailr@152.66.142.56) by chardonnay.math.bme.hu with SMTP; 7 Aug 1999 21:23:04 -0000 Received: (qmail 6543 invoked by uid 1000); 7 Aug 1999 21:17:46 -0000 Date: 7 Aug 1999 21:17:46 -0000 Message-ID: <19990807211746.6542.qmail@utopia> From: korn@eik.bme.hu Subject: joe: Potential security risk: control characters in filenames are printed without filtering. To: submit@bugs.debian.org X-Mailer: bug 3.2.2 Package: joe Version: 2.8-12 Severity: normal Hi, if you create a file named ^G (ctrl-g) and open it in joe, you will hear a beep as the status line is updated; you will also hear it upon exit, when joe prints the message about not updating the file because it was not changed. A malicious user could create a file whose name contains more harmful control characters and wait for another user to open that file in joe (perhaps inadvertently; e.g. by using the TAB completion of many shells, or from a graphical user interface). I admit this is a long shot, but still: filenames should be filtered and control characters removed before the name of the file is printed. This potentially affects many other packages as well. grep is also vulnerable; I will post a separate report for that package, but currently I don't have the time to check any others. Best regards, -- Andrew Korn (Korn Andras) http://goliat.eik.bme.hu/~korn Finger korn@goliat.eik.bme.hu for pgp key. Homepage is obsolete. QOTD: A little bit of censorship is like being a little bit pregnant. -- System Information Debian Release: potato Kernel Version: Linux utopia 2.2.10-ac12 #59 Fri Jul 23 17:23:40 CEST 1999 i586 unknown Versions of the packages joe depends on: ii libc6 2.1.2-0pre1 GNU C Library: Shared libraries and timezone ii libncurses4 4.2-3.2 Shared libraries for terminal handling   Information forwarded to debian-bugs-dist@lists.debian.org, Josip Rodin <jrodin@jagor.srce.hr>:
Bug#42631; Package joe.   debian-bugs-dist@lists.debian.orgJosip Rodin  Subject: Bug#42631: joe: Potential security risk: control characters in filenames are printed without filtering. Reply-To: Josip Rodin , 42631@bugs.debian.org Resent-From: Josip Rodin Resent-To: debian-bugs-dist@lists.debian.org Resent-CC: Josip Rodin Resent-Date: Sun, 26 Nov 2000 11:48:23 GMT Resent-Message-ID: Resent-Sender: owner@bugs.debian.org X-Debian-PR-Message: report 42631 X-Debian-PR-Package: joe X-Debian-PR-Keywords: X-Loop: owner@bugs.debian.org Received: via spool by 42631-bugs@bugs.debian.org id=B42631.97523896912409 (code B ref 42631); Sun, 26 Nov 2000 11:48:23 GMT Date: Sun, 26 Nov 2000 12:43:23 +0100 From: Josip Rodin To: debian-security@lists.debian.org Cc: 42631@bugs.debian.org Message-ID: <20001126124323.B7402@cibalia.gkvk.hr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/1.0.1i Delivered-To: 42631@bugs.debian.org Hi, Since one security issue has been fixed in joe very recently, I parsed its bug list a bit and noticed another fishy thing. On 7 Aug 1999, which was 1 year and 112 days ago (incredible, isn't it), Andras Korn wrote: > if you create a file named ^G (ctrl-g) and open it in joe, you will hear a > beep as the status line is updated; you will also hear it upon exit, when > joe prints the message about not updating the file because it was not > changed. I can reproduce it, joe ^V^G and it beeps when (in)appropriate. > A malicious user could create a file whose name contains more harmful > control characters and wait for another user to open that file in joe > (perhaps inadvertently; e.g. by using the TAB completion of many shells, or > from a graphical user interface). > > I admit this is a long shot, but still: filenames should be filtered and > control characters removed before the name of the file is printed. It seems these messages are made with stuff like sprintf(msgbuf,"File %.60s saved",s); (BTW originally the %.60s was %s, Dale patched it) How big a risk is this, can you security people advise me please? > This potentially affects many other packages as well. grep is also > vulnerable; I will post a separate report for that package, but currently > I don't have the time to check any others. If I run `grep -l foo' on a file called ^G, it will beep. FWIW. -- Digital Electronic Being Intended for Assassination and Nullification   Acknowledgement sent to Josip Rodin <joy@cibalia.gkvk.hr>:
Extra info received and forwarded to list. Copy sent to Josip Rodin <jrodin@jagor.srce.hr>.   -t  From: owner@bugs.debian.org (Debian Bug Tracking System) To: Josip Rodin Subject: Bug#42631: Info received (was joe: Potential security risk: control characters in filenames are printed without filtering.) Message-ID: In-Reply-To: <20001126124323.B7402@cibalia.gkvk.hr> References: <20001126124323.B7402@cibalia.gkvk.hr> X-Debian-PR-Message: ack-info-maintonly 42631 Thank you for the additional information you have supplied regarding this problem report. It has been forwarded to the developer(s) and to the developers mailing list to accompany the original report. Your message has been sent to the package maintainer(s): Josip Rodin If you wish to continue to submit further information on your problem, please send it to 42631@bugs.debian.org, as before. Please do not reply to the address at the top of this message, unless you wish to report a problem with the Bug-tracking system. Darren Benham (administrator, Debian Bugs database)   Received: (at 42631) by bugs.debian.org; 26 Nov 2000 11:42:49 +0000 From joy@cibalia.gkvk.hr Sun Nov 26 05:42:49 2000 Return-path: Received: from cibalia.gkvk.hr [161.53.211.3] (mail) by master.debian.org with esmtp (Exim 3.12 1 (Debian)) id 1400Cl-0003DZ-00; Sun, 26 Nov 2000 05:42:48 -0600 Received: from joy by cibalia.gkvk.hr with local (Exim 3.12 #1 (Debian)) id 1400DL-0001xP-00; Sun, 26 Nov 2000 12:43:23 +0100 Date: Sun, 26 Nov 2000 12:43:23 +0100 From: Josip Rodin To: debian-security@lists.debian.org Cc: 42631@bugs.debian.org Subject: Re: joe: Potential security risk: control characters in filenames are printed without filtering. Message-ID: <20001126124323.B7402@cibalia.gkvk.hr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/1.0.1i Delivered-To: 42631@bugs.debian.org Hi, Since one security issue has been fixed in joe very recently, I parsed its bug list a bit and noticed another fishy thing. On 7 Aug 1999, which was 1 year and 112 days ago (incredible, isn't it), Andras Korn wrote: > if you create a file named ^G (ctrl-g) and open it in joe, you will hear a > beep as the status line is updated; you will also hear it upon exit, when > joe prints the message about not updating the file because it was not > changed. I can reproduce it, joe ^V^G and it beeps when (in)appropriate. > A malicious user could create a file whose name contains more harmful > control characters and wait for another user to open that file in joe > (perhaps inadvertently; e.g. by using the TAB completion of many shells, or > from a graphical user interface). > > I admit this is a long shot, but still: filenames should be filtered and > control characters removed before the name of the file is printed. It seems these messages are made with stuff like sprintf(msgbuf,"File %.60s saved",s); (BTW originally the %.60s was %s, Dale patched it) How big a risk is this, can you security people advise me please? > This potentially affects many other packages as well. grep is also > vulnerable; I will post a separate report for that package, but currently > I don't have the time to check any others. If I run `grep -l foo' on a file called ^G, it will beep. FWIW. -- Digital Electronic Being Intended for Assassination and Nullification   Changed Bug title. Request was from Josip Rodin <joy@cibalia.gkvk.hr> to control@bugs.debian.org.   Received: (at control) by bugs.debian.org; 24 Dec 2000 16:19:03 +0000 From joy@cibalia.gkvk.hr Sun Dec 24 10:19:03 2000 Return-path: Received: from cibalia.gkvk.hr [161.53.211.3] (mail) by master.debian.org with esmtp (Exim 3.12 1 (Debian)) id 14ADrS-0006yX-00; Sun, 24 Dec 2000 10:19:02 -0600 Received: from joy by cibalia.gkvk.hr with local (Exim 3.12 #1 (Debian)) id 14ADrY-0007m2-00 for ; Sun, 24 Dec 2000 17:19:08 +0100 Date: Sun, 24 Dec 2000 17:19:08 +0100 To: control@bugs.debian.org Subject: joe bugs Message-ID: <20001224171908.A29862@cibalia.gkvk.hr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i From: Josip Rodin Delivered-To: control@bugs.debian.org retitle 23574 joe sometimes mucks up the terminal when scrolling [rare, has workarounds] tag 23574 moreinfo retitle 30978 undoing changes sometimes doesn't make joe update the file retitle 42631 joe prints control characters in filenames without filtering tag 42631 moreinfo severity 50978 minor severity 63261 minor retitle 69664 joe: screen messed up over telnet tag 69664 help -- Digital Electronic Being Intended for Assassination and Nullification   Tags added: moreinfo Request was from Josip Rodin <joy@cibalia.gkvk.hr> to control@bugs.debian.org.   Received: (at control) by bugs.debian.org; 24 Dec 2000 16:19:03 +0000 From joy@cibalia.gkvk.hr Sun Dec 24 10:19:03 2000 Return-path: Received: from cibalia.gkvk.hr [161.53.211.3] (mail) by master.debian.org with esmtp (Exim 3.12 1 (Debian)) id 14ADrS-0006yX-00; Sun, 24 Dec 2000 10:19:02 -0600 Received: from joy by cibalia.gkvk.hr with local (Exim 3.12 #1 (Debian)) id 14ADrY-0007m2-00 for ; Sun, 24 Dec 2000 17:19:08 +0100 Date: Sun, 24 Dec 2000 17:19:08 +0100 To: control@bugs.debian.org Subject: joe bugs Message-ID: <20001224171908.A29862@cibalia.gkvk.hr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i From: Josip Rodin Delivered-To: control@bugs.debian.org retitle 23574 joe sometimes mucks up the terminal when scrolling [rare, has workarounds] tag 23574 moreinfo retitle 30978 undoing changes sometimes doesn't make joe update the file retitle 42631 joe prints control characters in filenames without filtering tag 42631 moreinfo severity 50978 minor severity 63261 minor retitle 69664 joe: screen messed up over telnet tag 69664 help -- Digital Electronic Being Intended for Assassination and Nullification   Changed Bug submitter from korn@eik.bme.hu to Andras Korn <korn-debbugs@chardonnay.math.bme.hu>. Request was from Andras Korn <korn-debbugs@chardonnay.math.bme.hu> to control@bugs.debian.org.   Received: (at control) by bugs.debian.org; 18 Sep 2003 21:46:47 +0000 From korn-control=bugs.debian.org@chardonnay.math.bme.hu Thu Sep 18 16:46:13 2003 Return-path: Received: from chardonnay.math.bme.hu [152.66.83.144] by master.debian.org with smtp (Exim 3.35 1 (Debian)) id 1A06bN-0003Kd-00; Thu, 18 Sep 2003 16:46:13 -0500 Received: (qmail 23993 invoked by uid 1000); 18 Sep 2003 21:46:12 -0000 Date: Thu, 18 Sep 2003 23:46:12 +0200 From: Andras Korn To: control@bugs.debian.org Subject: change of email address Message-ID: <20030918214611.GA18900@chardonnay.math.bme.hu> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Organization: Technical University of Budapest, Department of Calculus User-Agent: Mutt/1.5.4i Delivered-To: control@bugs.debian.org X-Spam-Status: No, hits=0.0 required=4.0 tests=none version=2.53-bugs.debian.org_2003_9_16 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.53-bugs.debian.org_2003_9_16 (1.174.2.15-2003-03-30-exp) submitter 78782 ! submitter 148751 ! submitter 46376 ! submitter 48555 ! submitter 56546 ! submitter 60405 ! submitter 66032 ! submitter 103820 ! submitter 106224 ! submitter 112555 ! submitter 120399 ! submitter 120503 ! submitter 148492 ! submitter 149460 ! submitter 149897 ! submitter 164615 ! submitter 60737 ! submitter 80633 ! submitter 148808 ! submitter 164155 ! submitter 66031 ! submitter 80343 ! submitter 86539 ! submitter 94350 ! submitter 96057 ! submitter 109687 ! submitter 111689 ! submitter 116171 ! submitter 122137 ! submitter 148752 ! submitter 149395 ! submitter 186013 ! submitter 45998 ! submitter 58861 ! submitter 81315 ! submitter 44749 ! submitter 108492 ! submitter 42631 ! submitter 41554 ! submitter 42630 ! submitter 43594 ! submitter 43593 ! thanks Trying to keep some of the spammers out... -- Andrew Korn (Korn Andras) Finger korn at chardonnay.math.bme.hu for pgp key. QOTD: Never trust an engineer!   Noted your statement that Bug has been forwarded to https://sourceforge.net/tracker/index.php?func=detail&aid=2212257&group_id=23475&atid=378598. Request was from Jari Aalto <jari.aalto@cante.net> to control@bugs.debian.org.   Received: (at control) by bugs.debian.org; 31 Oct 2008 17:39:42 +0000 From jari.aalto@cante.net Fri Oct 31 17:39:42 2008 X-Spam-Checker-Version: SpamAssassin 3.2.3-bugs.debian.org_2005_01_02 (2007-08-08) on rietz.debian.org X-Spam-Level: X-Spam-Bayes: score:0.0000 Tokens: new, 11; hammy, 67; neutral, 32; spammy, 1. spammytokens:0.995-1--42631 hammytokens:0.000-+--H*M:fsf, 0.000-+--H*MI:fsf, 0.000-+--HX-Spam-Relays-External:saunalahti-vams, 0.000-+--H*RU:saunalahti-vams, 0.000-+--HX-Antivirus:VAMS X-Spam-Status: No, score=-7.0 required=4.0 tests=AWL,BAYES_00,SPF_PASS autolearn=ham version=3.2.3-bugs.debian.org_2005_01_02 Return-path: Received: from emh02.mail.saunalahti.fi ([62.142.5.108]) by rietz.debian.org with esmtp (Exim 4.63) (envelope-from ) id 1KvxyI-0007H8-Ac for control@bugs.debian.org; Fri, 31 Oct 2008 17:39:42 +0000 Received: from saunalahti-vams (vs3-12.mail.saunalahti.fi [62.142.5.96]) by emh02-2.mail.saunalahti.fi (Postfix) with SMTP id 52AE7EF97C for ; Fri, 31 Oct 2008 19:39:40 +0200 (EET) Received: from emh02.mail.saunalahti.fi ([62.142.5.108]) by vs3-12.mail.saunalahti.fi ([62.142.5.96]) with SMTP (gateway) id A0753334BEE; Fri, 31 Oct 2008 19:39:40 +0200 Received: from jondo.cante.net (a91-155-179-127.elisa-laajakaista.fi [91.155.179.127]) by emh02.mail.saunalahti.fi (Postfix) with ESMTP id 2CEDD2BD5C for ; Fri, 31 Oct 2008 19:39:39 +0200 (EET) To: control@bugs.debian.org Subject: Bug#42631 forwarded to upstream Mail-Copies-To: poster X-Bug-User-Agent: Emacs 22.2.1 and tinydebian.el 1.97 From: Jari Aalto Date: Fri, 31 Oct 2008 20:39:38 +0300 Message-ID: <87vdv8y885.fsf@jondo.cante.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Antivirus: VAMS Delivered-To: control@bugs.debian.org forwarded 42631 https://sourceforge.net/tracker/index.php?func=detail&aid=2212257&group_id=23475&atid=378598 thanks   Bug marked as fixed in version 3.5-1. Request was from Jari Aalto <jari.aalto@cante.net> to control@bugs.debian.org.   Received: (at control) by bugs.debian.org; 1 Nov 2008 15:48:25 +0000 From jari.aalto@cante.net Sat Nov 01 15:48:25 2008 X-Spam-Checker-Version: SpamAssassin 3.2.3-bugs.debian.org_2005_01_02 (2007-08-08) on rietz.debian.org X-Spam-Level: X-Spam-Bayes: score:0.0000 Tokens: new, 11; hammy, 85; neutral, 31; spammy, 0. spammytokens: hammytokens:0.000-+--H*M:fsf, 0.000-+--H*MI:fsf, 0.000-+--HX-Spam-Relays-External:saunalahti-vams, 0.000-+--H*RU:saunalahti-vams, 0.000-+--HX-Antivirus:VAMS X-Spam-Status: No, score=-6.6 required=4.0 tests=AWL,BAYES_00,SPF_PASS autolearn=ham version=3.2.3-bugs.debian.org_2005_01_02 Return-path: Received: from emh06.mail.saunalahti.fi ([62.142.5.116]) by rietz.debian.org with esmtp (Exim 4.63) (envelope-from ) id 1KwIi9-0005ZC-AY; Sat, 01 Nov 2008 15:48:25 +0000 Received: from saunalahti-vams (vs3-11.mail.saunalahti.fi [62.142.5.95]) by emh06-2.mail.saunalahti.fi (Postfix) with SMTP id 8F784C8308; Sat, 1 Nov 2008 17:48:23 +0200 (EET) Received: from emh05.mail.saunalahti.fi ([62.142.5.111]) by vs3-11.mail.saunalahti.fi ([62.142.5.95]) with SMTP (gateway) id A054648B928; Sat, 01 Nov 2008 17:48:23 +0200 Received: from jondo.cante.net (a91-155-179-127.elisa-laajakaista.fi [91.155.179.127]) by emh05.mail.saunalahti.fi (Postfix) with ESMTP id 5D46727DA6; Sat, 1 Nov 2008 17:48:21 +0200 (EET) To: control@bugs.debian.org, 42631-close@bugs.debian.org Subject: Fixed Bug#42631 JOE 3.5-1 Mail-Copies-To: poster X-Bug-User-Agent: Emacs 22.2.1 and tinydebian.el 1.97 From: Jari Aalto Date: Sat, 01 Nov 2008 18:48:20 +0300 Message-ID: <87mygjwipn.fsf@jondo.cante.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Antivirus: VAMS Delivered-To: control@bugs.debian.org fixed 42631 3.5-1 thanks [forwarded from] https://sourceforge.net/tracker/?func=detail&atid=378598&aid=2212257&group_id=23475 Date: 2008-11-01 00:41 Sender: jhallen This was fixed long ago. JOE 3.5 has this fix.   Reply sent to Jari Aalto <jari.aalto@cante.net>:
You have taken responsibility.   -t  MIME-Version: 1.0 X-Mailer: MIME-tools 5.420 (Entity 5.420) X-Loop: owner@bugs.debian.org From: owner@bugs.debian.org (Debian Bug Tracking System) To: Jari Aalto Subject: Bug#42631: marked as done (joe prints control characters in filenames without filtering) Message-ID: References: <87mygjwipn.fsf@jondo.cante.net> <19990807211746.6542.qmail@utopia> X-Debian-PR-Message: closed 42631 X-Debian-PR-Package: joe X-Debian-PR-Keywords: moreinfo X-Debian-PR-Source: joe Content-Type: multipart/mixed; boundary="----------=_1225554663-23434-0" This is a multi-part message in MIME format... ------------=_1225554663-23434-0 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Your message dated Sat, 01 Nov 2008 18:48:20 +0300 with message-id <87mygjwipn.fsf@jondo.cante.net> and subject line Fixed Bug#42631 JOE 3.5-1 has caused the Debian Bug report #42631, regarding joe prints control characters in filenames without filtering to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) --=20 42631: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D42631 Debian Bug Tracking System Contact owner@bugs.debian.org with problems ------------=_1225554663-23434-0 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by bugs.debian.org; 7 Aug 1999 21:23:10 +0000 Received: (qmail 23803 invoked from network); 7 Aug 1999 21:23:09 -0000 Received: from chardonnay.math.bme.hu (qmailr@152.66.83.144) by master.debian.org with SMTP; 7 Aug 1999 21:23:09 -0000 Received: (qmail 9958 invoked from network); 7 Aug 1999 21:23:04 -0000 Received: from line56.dial.bme.hu (qmailr@152.66.142.56) by chardonnay.math.bme.hu with SMTP; 7 Aug 1999 21:23:04 -0000 Received: (qmail 6543 invoked by uid 1000); 7 Aug 1999 21:17:46 -0000 Date: 7 Aug 1999 21:17:46 -0000 Message-ID: <19990807211746.6542.qmail@utopia> From: korn@eik.bme.hu Subject: joe: Potential security risk: control characters in filenames are printed without filtering. To: submit@bugs.debian.org X-Mailer: bug 3.2.2 Package: joe Version: 2.8-12 Severity: normal Hi, if you create a file named ^G (ctrl-g) and open it in joe, you will hear a beep as the status line is updated; you will also hear it upon exit, when joe prints the message about not updating the file because it was not changed. A malicious user could create a file whose name contains more harmful control characters and wait for another user to open that file in joe (perhaps inadvertently; e.g. by using the TAB completion of many shells, or from a graphical user interface). I admit this is a long shot, but still: filenames should be filtered and control characters removed before the name of the file is printed. This potentially affects many other packages as well. grep is also vulnerable; I will post a separate report for that package, but currently I don't have the time to check any others. Best regards, -- Andrew Korn (Korn Andras) http://goliat.eik.bme.hu/~korn Finger korn@goliat.eik.bme.hu for pgp key. Homepage is obsolete. QOTD: A little bit of censorship is like being a little bit pregnant. -- System Information Debian Release: potato Kernel Version: Linux utopia 2.2.10-ac12 #59 Fri Jul 23 17:23:40 CEST 1999 i586 unknown Versions of the packages joe depends on: ii libc6 2.1.2-0pre1 GNU C Library: Shared libraries and timezone ii libncurses4 4.2-3.2 Shared libraries for terminal handling ------------=_1225554663-23434-0 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 42631-close) by bugs.debian.org; 1 Nov 2008 15:48:25 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.3-bugs.debian.org_2005_01_02 (2007-08-08) on rietz.debian.org X-Spam-Level: X-Spam-Bayes: score:0.0000 Tokens: new, 11; hammy, 85; neutral, 31; spammy, 0. spammytokens: hammytokens:0.000-+--H*M:fsf, 0.000-+--H*MI:fsf, 0.000-+--HX-Spam-Relays-External:saunalahti-vams, 0.000-+--H*RU:saunalahti-vams, 0.000-+--HX-Antivirus:VAMS X-Spam-Status: No, score=-6.6 required=4.0 tests=AWL,BAYES_00,SPF_PASS autolearn=ham version=3.2.3-bugs.debian.org_2005_01_02 Return-path: Received: from emh06.mail.saunalahti.fi ([62.142.5.116]) by rietz.debian.org with esmtp (Exim 4.63) (envelope-from ) id 1KwIi9-0005ZC-AY; Sat, 01 Nov 2008 15:48:25 +0000 Received: from saunalahti-vams (vs3-11.mail.saunalahti.fi [62.142.5.95]) by emh06-2.mail.saunalahti.fi (Postfix) with SMTP id 8F784C8308; Sat, 1 Nov 2008 17:48:23 +0200 (EET) Received: from emh05.mail.saunalahti.fi ([62.142.5.111]) by vs3-11.mail.saunalahti.fi ([62.142.5.95]) with SMTP (gateway) id A054648B928; Sat, 01 Nov 2008 17:48:23 +0200 Received: from jondo.cante.net (a91-155-179-127.elisa-laajakaista.fi [91.155.179.127]) by emh05.mail.saunalahti.fi (Postfix) with ESMTP id 5D46727DA6; Sat, 1 Nov 2008 17:48:21 +0200 (EET) To: control@bugs.debian.org, 42631-close@bugs.debian.org Subject: Fixed Bug#42631 JOE 3.5-1 Mail-Copies-To: poster X-Bug-User-Agent: Emacs 22.2.1 and tinydebian.el 1.97 From: Jari Aalto Date: Sat, 01 Nov 2008 18:48:20 +0300 Message-ID: <87mygjwipn.fsf@jondo.cante.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Antivirus: VAMS fixed 42631 3.5-1 thanks [forwarded from] https://sourceforge.net/tracker/?func=detail&atid=378598&aid=2212257&group_id=23475 Date: 2008-11-01 00:41 Sender: jhallen This was fixed long ago. JOE 3.5 has this fix. ------------=_1225554663-23434-0--   Notification sent to Andras Korn <korn-debbugs@chardonnay.math.bme.hu>:
Bug acknowledged by developer.   -t  MIME-Version: 1.0 X-Mailer: MIME-tools 5.420 (Entity 5.420) X-Loop: owner@bugs.debian.org From: owner@bugs.debian.org (Debian Bug Tracking System) To: Andras Korn Subject: Bug#42631 closed by Jari Aalto (Fixed Bug#42631 JOE 3.5-1) Message-ID: References: <87mygjwipn.fsf@jondo.cante.net> <19990807211746.6542.qmail@utopia> X-Debian-PR-Message: they-closed 42631 X-Debian-PR-Package: joe X-Debian-PR-Keywords: moreinfo X-Debian-PR-Source: joe Reply-To: 42631@bugs.debian.org Content-Type: multipart/mixed; boundary="----------=_1225554663-23434-1" This is a multi-part message in MIME format... ------------=_1225554663-23434-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" This is an automatic notification regarding your Bug report which was filed against the joe package: #42631: joe prints control characters in filenames without filtering It has been closed by Jari Aalto . Their explanation is attached below along with your original report. If this explanation is unsatisfactory and you have not received a better one in a separate message then please contact Jari Aalto by replying to this email. --=20 42631: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D42631 Debian Bug Tracking System Contact owner@bugs.debian.org with problems ------------=_1225554663-23434-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 42631-close) by bugs.debian.org; 1 Nov 2008 15:48:25 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.3-bugs.debian.org_2005_01_02 (2007-08-08) on rietz.debian.org X-Spam-Level: X-Spam-Bayes: score:0.0000 Tokens: new, 11; hammy, 85; neutral, 31; spammy, 0. spammytokens: hammytokens:0.000-+--H*M:fsf, 0.000-+--H*MI:fsf, 0.000-+--HX-Spam-Relays-External:saunalahti-vams, 0.000-+--H*RU:saunalahti-vams, 0.000-+--HX-Antivirus:VAMS X-Spam-Status: No, score=-6.6 required=4.0 tests=AWL,BAYES_00,SPF_PASS autolearn=ham version=3.2.3-bugs.debian.org_2005_01_02 Return-path: Received: from emh06.mail.saunalahti.fi ([62.142.5.116]) by rietz.debian.org with esmtp (Exim 4.63) (envelope-from ) id 1KwIi9-0005ZC-AY; Sat, 01 Nov 2008 15:48:25 +0000 Received: from saunalahti-vams (vs3-11.mail.saunalahti.fi [62.142.5.95]) by emh06-2.mail.saunalahti.fi (Postfix) with SMTP id 8F784C8308; Sat, 1 Nov 2008 17:48:23 +0200 (EET) Received: from emh05.mail.saunalahti.fi ([62.142.5.111]) by vs3-11.mail.saunalahti.fi ([62.142.5.95]) with SMTP (gateway) id A054648B928; Sat, 01 Nov 2008 17:48:23 +0200 Received: from jondo.cante.net (a91-155-179-127.elisa-laajakaista.fi [91.155.179.127]) by emh05.mail.saunalahti.fi (Postfix) with ESMTP id 5D46727DA6; Sat, 1 Nov 2008 17:48:21 +0200 (EET) To: control@bugs.debian.org, 42631-close@bugs.debian.org Subject: Fixed Bug#42631 JOE 3.5-1 Mail-Copies-To: poster X-Bug-User-Agent: Emacs 22.2.1 and tinydebian.el 1.97 From: Jari Aalto Date: Sat, 01 Nov 2008 18:48:20 +0300 Message-ID: <87mygjwipn.fsf@jondo.cante.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Antivirus: VAMS fixed 42631 3.5-1 thanks [forwarded from] https://sourceforge.net/tracker/?func=detail&atid=378598&aid=2212257&group_id=23475 Date: 2008-11-01 00:41 Sender: jhallen This was fixed long ago. JOE 3.5 has this fix. ------------=_1225554663-23434-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by bugs.debian.org; 7 Aug 1999 21:23:10 +0000 Received: (qmail 23803 invoked from network); 7 Aug 1999 21:23:09 -0000 Received: from chardonnay.math.bme.hu (qmailr@152.66.83.144) by master.debian.org with SMTP; 7 Aug 1999 21:23:09 -0000 Received: (qmail 9958 invoked from network); 7 Aug 1999 21:23:04 -0000 Received: from line56.dial.bme.hu (qmailr@152.66.142.56) by chardonnay.math.bme.hu with SMTP; 7 Aug 1999 21:23:04 -0000 Received: (qmail 6543 invoked by uid 1000); 7 Aug 1999 21:17:46 -0000 Date: 7 Aug 1999 21:17:46 -0000 Message-ID: <19990807211746.6542.qmail@utopia> From: korn@eik.bme.hu Subject: joe: Potential security risk: control characters in filenames are printed without filtering. To: submit@bugs.debian.org X-Mailer: bug 3.2.2 Package: joe Version: 2.8-12 Severity: normal Hi, if you create a file named ^G (ctrl-g) and open it in joe, you will hear a beep as the status line is updated; you will also hear it upon exit, when joe prints the message about not updating the file because it was not changed. A malicious user could create a file whose name contains more harmful control characters and wait for another user to open that file in joe (perhaps inadvertently; e.g. by using the TAB completion of many shells, or from a graphical user interface). I admit this is a long shot, but still: filenames should be filtered and control characters removed before the name of the file is printed. This potentially affects many other packages as well. grep is also vulnerable; I will post a separate report for that package, but currently I don't have the time to check any others. Best regards, -- Andrew Korn (Korn Andras) http://goliat.eik.bme.hu/~korn Finger korn@goliat.eik.bme.hu for pgp key. Homepage is obsolete. QOTD: A little bit of censorship is like being a little bit pregnant. -- System Information Debian Release: potato Kernel Version: Linux utopia 2.2.10-ac12 #59 Fri Jul 23 17:23:40 CEST 1999 i586 unknown Versions of the packages joe depends on: ii libc6 2.1.2-0pre1 GNU C Library: Shared libraries and timezone ii libncurses4 4.2-3.2 Shared libraries for terminal handling ------------=_1225554663-23434-1--   Received: (at 42631-close) by bugs.debian.org; 1 Nov 2008 15:48:25 +0000 From jari.aalto@cante.net Sat Nov 01 15:48:25 2008 X-Spam-Checker-Version: SpamAssassin 3.2.3-bugs.debian.org_2005_01_02 (2007-08-08) on rietz.debian.org X-Spam-Level: X-Spam-Bayes: score:0.0000 Tokens: new, 11; hammy, 85; neutral, 31; spammy, 0. spammytokens: hammytokens:0.000-+--H*M:fsf, 0.000-+--H*MI:fsf, 0.000-+--HX-Spam-Relays-External:saunalahti-vams, 0.000-+--H*RU:saunalahti-vams, 0.000-+--HX-Antivirus:VAMS X-Spam-Status: No, score=-6.6 required=4.0 tests=AWL,BAYES_00,SPF_PASS autolearn=ham version=3.2.3-bugs.debian.org_2005_01_02 Return-path: Received: from emh06.mail.saunalahti.fi ([62.142.5.116]) by rietz.debian.org with esmtp (Exim 4.63) (envelope-from ) id 1KwIi9-0005ZC-AY; Sat, 01 Nov 2008 15:48:25 +0000 Received: from saunalahti-vams (vs3-11.mail.saunalahti.fi [62.142.5.95]) by emh06-2.mail.saunalahti.fi (Postfix) with SMTP id 8F784C8308; Sat, 1 Nov 2008 17:48:23 +0200 (EET) Received: from emh05.mail.saunalahti.fi ([62.142.5.111]) by vs3-11.mail.saunalahti.fi ([62.142.5.95]) with SMTP (gateway) id A054648B928; Sat, 01 Nov 2008 17:48:23 +0200 Received: from jondo.cante.net (a91-155-179-127.elisa-laajakaista.fi [91.155.179.127]) by emh05.mail.saunalahti.fi (Postfix) with ESMTP id 5D46727DA6; Sat, 1 Nov 2008 17:48:21 +0200 (EET) To: control@bugs.debian.org, 42631-close@bugs.debian.org Subject: Fixed Bug#42631 JOE 3.5-1 Mail-Copies-To: poster X-Bug-User-Agent: Emacs 22.2.1 and tinydebian.el 1.97 From: Jari Aalto Date: Sat, 01 Nov 2008 18:48:20 +0300 Message-ID: <87mygjwipn.fsf@jondo.cante.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Antivirus: VAMS fixed 42631 3.5-1 thanks [forwarded from] https://sourceforge.net/tracker/?func=detail&atid=378598&aid=2212257&group_id=23475 Date: 2008-11-01 00:41 Sender: jhallen This was fixed long ago. JOE 3.5 has this fix.