Package: release.debian.org Severity: normal Tags: bullseye User: [email protected] Usertags: pu X-Debbugs-Cc: Jordi Mallach <[email protected]>, [email protected]
* CVE-2024-5742: Emergency file symlink attack For bookworm the pu-fix for this no-dsa CVE is part of #1070702.
diffstat for nano-5.4 nano-5.4 changelog | 7 patches/0001-files-run-chmod-and-chown-on-the-descriptor-not-on-t.patch | 102 ++++++++++ patches/series | 1 3 files changed, 110 insertions(+) diff -Nru nano-5.4/debian/changelog nano-5.4/debian/changelog --- nano-5.4/debian/changelog 2022-12-02 15:06:48.000000000 +0200 +++ nano-5.4/debian/changelog 2024-06-17 15:31:04.000000000 +0300 @@ -1,3 +1,10 @@ +nano (5.4-2+deb11u3) bullseye; urgency=medium + + * Non-maintainer upload. + * CVE-2024-5742: Emergency file symlink attack + + -- Adrian Bunk <[email protected]> Mon, 17 Jun 2024 15:31:04 +0300 + nano (5.4-2+deb11u2) bullseye; urgency=medium * The "No a l'ampliació del port" release. diff -Nru nano-5.4/debian/patches/0001-files-run-chmod-and-chown-on-the-descriptor-not-on-t.patch nano-5.4/debian/patches/0001-files-run-chmod-and-chown-on-the-descriptor-not-on-t.patch --- nano-5.4/debian/patches/0001-files-run-chmod-and-chown-on-the-descriptor-not-on-t.patch 1970-01-01 02:00:00.000000000 +0200 +++ nano-5.4/debian/patches/0001-files-run-chmod-and-chown-on-the-descriptor-not-on-t.patch 2024-06-17 15:31:04.000000000 +0300 @@ -0,0 +1,102 @@ +From dd7f348fc2e98fd7b6e2b329441aeb428fc424f3 Mon Sep 17 00:00:00 2001 +From: Benno Schulenberg <[email protected]> +Date: Sun, 28 Apr 2024 10:51:52 +0200 +Subject: files: run `chmod` and `chown` on the descriptor, not on the filename + +This closes a window of opportunity where the emergency file could be +replaced by a malicious symlink. + +The issue was reported by `MartinJM` and `InvisibleMeerkat`. + +Problem existed since version 2.2.0, commit 123110c5, when chmodding +and chowning of the emergency .save file was added. +--- + src/definitions.h | 2 +- + src/files.c | 13 ++++++++++++- + src/nano.c | 12 +----------- + 3 files changed, 14 insertions(+), 13 deletions(-) + +diff --git a/src/definitions.h b/src/definitions.h +index b79a6218..4889ab03 100644 +--- a/src/definitions.h ++++ b/src/definitions.h +@@ -141,7 +141,7 @@ typedef enum { + } message_type; + + typedef enum { +- OVERWRITE, APPEND, PREPEND ++ OVERWRITE, APPEND, PREPEND, EMERGENCY + } kind_of_writing_type; + + typedef enum { +diff --git a/src/files.c b/src/files.c +index ab9957c9..53e148d1 100644 +--- a/src/files.c ++++ b/src/files.c +@@ -1732,6 +1732,8 @@ bool write_file(const char *name, FILE *thefile, bool tmp, + #endif + char *realname = real_dir_from_tilde(name); + /* The filename after tilde expansion. */ ++ int fd = 0; ++ /* The descriptor that is assigned when opening the file. */ + char *tempname = NULL; + /* The name of the temporary file we use when prepending. */ + linestruct *line = openfile->filetop; +@@ -1810,7 +1812,6 @@ bool write_file(const char *name, FILE *thefile, bool tmp, + * For an emergency file, access is restricted to just the owner. */ + if (thefile == NULL) { + mode_t permissions = (tmp ? S_IRUSR|S_IWUSR : RW_FOR_ALL); +- int fd; + + #ifndef NANO_TINY + block_sigwinch(TRUE); +@@ -1937,6 +1938,16 @@ bool write_file(const char *name, FILE *thefile, bool tmp, + } + #endif + ++#ifndef NANO_TINY ++ /* Change permissions and owner of an emergency save file to the values ++ * of the original file, but ignore any failure as we are in a hurry. */ ++ if (method == EMERGENCY && fd && openfile->statinfo) { ++ IGNORE_CALL_RESULT(fchmod(fd, openfile->statinfo->st_mode)); ++ IGNORE_CALL_RESULT(fchown(fd, openfile->statinfo->st_uid, ++ openfile->statinfo->st_gid)); ++ } ++#endif ++ + if (fclose(thefile) != 0) { + statusline(ALERT, _("Error writing %s: %s"), realname, strerror(errno)); + goto cleanup_and_exit; +diff --git a/src/nano.c b/src/nano.c +index 521c4a03..76f0f879 100644 +--- a/src/nano.c ++++ b/src/nano.c +@@ -328,7 +328,7 @@ void emergency_save(const char *plainname) + targetname = get_next_filename(plainname, ".save"); + + if (*targetname != '\0') +- failed = !write_file(targetname, NULL, TRUE, OVERWRITE, FALSE); ++ failed = !write_file(targetname, NULL, TRUE, EMERGENCY, FALSE); + + if (!failed) + fprintf(stderr, _("\nBuffer written to %s\n"), targetname); +@@ -338,16 +338,6 @@ void emergency_save(const char *plainname) + else + fprintf(stderr, _("\nToo many .save files")); + +-#ifndef NANO_TINY +- /* Try to chmod/chown the saved file to the values of the original file, +- * but ignore any failure as we are in a hurry to get out. */ +- if (openfile->statinfo) { +- IGNORE_CALL_RESULT(chmod(targetname, openfile->statinfo->st_mode)); +- IGNORE_CALL_RESULT(chown(targetname, openfile->statinfo->st_uid, +- openfile->statinfo->st_gid)); +- } +-#endif +- + free(targetname); + } + +-- +2.30.2 + diff -Nru nano-5.4/debian/patches/series nano-5.4/debian/patches/series --- nano-5.4/debian/patches/series 2022-12-02 14:43:25.000000000 +0200 +++ nano-5.4/debian/patches/series 2024-06-17 15:31:04.000000000 +0300 @@ -36,3 +36,4 @@ 0036-input-ensure-that-no-more-bytes-are-consumed-than-ar.patch 0037-execute-don-t-crash-when-an-empty-buffer-is-piped-th.patch 0038-text-upon-Enter-eat-only-lefthand-blanks-not-any-oth.patch +0001-files-run-chmod-and-chown-on-the-descriptor-not-on-t.patch
