After looking through the patches that OpenBSD/FreeBSD/NetBSD has for
their joe ports, it looks like joe is still vulnerable in the
FreeBSD/NetBSD ports trees, but not in the OpenBSD ports tree as of
Dec 22 1998.

revision 1.3
date: 1998/12/22 03:58:13;  author: form;  state: Exp;  lines: +74 -55
Do not use ./.xxxrc startup file.
Startup files order: ~/.xxxrc, /etc/joe/xxxrc, ${PREFIX}/lib/joe/xxxrc.

// Brad

brad@comstyle.com
brad@openbsd.org

>TITLE:          Joe's Own Editor File Handling Error
>ADVISORY ID:    WSIR-01/02-02
>REFERENCE:      http://www.wkit.com/advisories
>CVE:            GENERIC-MAP-NOMATCH
>CREDIT:         Christer =D6berg, Wkit Security AB
>CONTACT:        advisories@wkit.com
>CLASS:          File Handling Error
>OBJECT:         joe(1) (exec)
>VENDOR:         Josef H. Allen
>STATUS:
>REMOTE:         No
>LOCAL:          Yes
>VULNERABLE:     Joseph Allen joe 2.8
>
>DATE
>  CREATED:        26/02/2001
>  LAST UPDATED:
>  VENDOR CONTACT:
>  RELEASE:        28/02/2001
>
>VULNERABILITY DESCRIPTION
>  joe looks for its configuration file in ./.joerc (CWD), $HOME/.joerc, an=
d
>  /usr/local/lib/joerc in that order. Users could be tricked into execute
>  commands if they open/edit a file with joe in a directory where other
>  users can write.