Is anyone familiar with the BUGTRAQ discussions on a local vulnerability
in Joe 2.8 regarding improper sanity checking on DEADJOE?

I'm looking at a patch (we won't go into the source >:} ) to correct:

--- b.c.orig    Fri Jan 20 00:38:25 1995
+++ b.c Sun Dec  3 09:58:21 2000
@@ -21,6 +21,9 @@
 #include <pwd.h>
 #endif
 #include <errno.h>
+#include <sys/file.h>
+#include <sys/types.h>
+#include <sys/stat.h>

 #include "config.h"
 #include "blocks.h"

[cut....]

@@ -1990,7 +2022,18 @@
  {
  long tim=time(0);
  B *b;
- FILE *f=fopen("DEADJOE","a");
+ FILE *f;
+ struct stat sb;
+ if ((lstat("DEADJOE", &sb) == 0) && (((sb.st_mode & S_IFLNK) &&
(sb.st_uid != getuid())) || (sb.st_nlink > 1)))
+  {
+  printf("*** JOE was aborted ");
+  if (sig) printf("by signal %d, cannot save DEADJOE due to unsafe
symlink\n",sig);
+  else printf("because the terminal closed, cannot save DEADJOE due to
unsafe symlink\n");
+  if(sig) ttclsn();
+  _exit(1);
+  }
+ f=fopen("DEADJOE","a");
+ chmod("DEADJOE", S_IRUSR | S_IWUSR);
  fprintf(f,"\n*** Modified files in JOE when it aborted on
%s",ctime(&tim));
  if(sig) fprintf(f,"*** JOE was aborted by signal %d\n",sig);
  else fprintf(f,"*** JOE was aborted because the terminal closed\n");


--Brian