Bug#1135861: marked as done (trixie-pu: package nano/8.4-1+deb13u1)

Debian Bug Tracking System Sat, 16 May 2026 03:43:00 -0700

Your message dated Sat, 16 May 2026 10:23:17 +0000
with message-id <[email protected]>
and subject line Released with 13.5
has caused the Debian Bug report #1135861,
regarding trixie-pu: package nano/8.4-1+deb13u1
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1135861: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135861
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:nano
User: [email protected]
Usertags: pu

Hi,

I'd like to have a nano update in the next point release,
to fix two low impact CVEs.

The fixes are already in unstable and forky, and are
straight-forward and one-liner.

[ Reason ]
carnil contacted me to propose this update for the next point
release, and I have prepared it. The security issues are
not urgent or critical, but would be good to have fixes for
outside the security update channel.


[ Impact ]
2 security issues will remain unfixed in nano in trixie:
- a string format string vuln, exploitable via the internal
  file browser
- a window to get ~/.local created with permissive
  permissions, enabling further exploits eg via malicious
  desktop files


[ Tests ]
Manually tested a build.

[ Risks ]
Close to none, the trees haven't diverged that much and the fixes
are really straight forward.


[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
- Add two patches and a series file
- Adjust gbp.conf for the new branch


[ Other info ]
This is in coordination with Salvatore Bonaccorso.

-- 
Jordi Mallach <[email protected]>
Debian Project

diff -Nru nano-8.4/debian/changelog nano-8.4/debian/changelog
--- nano-8.4/debian/changelog	2025-04-06 16:11:52.000000000 +0200
+++ nano-8.4/debian/changelog	2026-05-04 01:17:41.000000000 +0200
@@ -1,3 +1,12 @@
+nano (8.4-1+deb13u1) trixie; urgency=medium
+
+  * Add upstream fix for CVE-2026-6842: possible creation of permissive
+    ~/.local.
+  * Add upstream patch for CVE-2026-6843: format string vulnerability.
+  * Update debian-branch to trixie.
+
+ -- Jordi Mallach <[email protected]>  Mon, 04 May 2026 01:17:41 +0200
+
 nano (8.4-1) unstable; urgency=medium
 
   * The "Steve Langasek" release. Thanks for your help, for the
diff -Nru nano-8.4/debian/gbp.conf nano-8.4/debian/gbp.conf
--- nano-8.4/debian/gbp.conf	2024-05-07 00:29:36.000000000 +0200
+++ nano-8.4/debian/gbp.conf	2026-05-04 01:17:27.000000000 +0200
@@ -1,5 +1,5 @@
 [DEFAULT] 
 pristine-tar = true 
-debian-branch = debian/latest
+debian-branch = trixie
 upstream-branch = upstream/latest
 upstream-vcs-tag = v%(version)s
diff -Nru nano-8.4/debian/patches/CVE-2026-6842.patch nano-8.4/debian/patches/CVE-2026-6842.patch
--- nano-8.4/debian/patches/CVE-2026-6842.patch	1970-01-01 01:00:00.000000000 +0100
+++ nano-8.4/debian/patches/CVE-2026-6842.patch	2026-05-04 01:15:16.000000000 +0200
@@ -0,0 +1,32 @@
+commit cb43493e00e5777d2433ecf5db6402983b282d6f
+Author: Benno Schulenberg <[email protected]>
+Date:   Mon Apr 6 11:00:21 2026 +0200
+
+    history: create the ~/.local directory with limited access rights
+    
+    Permitting everyone to write to the .local directory gave attackers
+    (on platforms where umask is 000) a tiny opportunity to become the
+    owner of the .local/share subdirectory, which would allow them to
+    install malicious .desktop files.
+    
+    This fixes https://bugzilla.redhat.com/2455314.
+    Reported-by: Michał Majchrowicz <[email protected]>
+    Patch-by: Michał Majchrowicz <[email protected]>
+    Signed-off-by: Benno Schulenberg <[email protected]>
+    
+    Bug existed since version 2.9.1, commit 4200ed30,
+    from shortly after support for XDG was added.
+
+diff --git a/src/history.c b/src/history.c
+index ecae821f2..b1f245cdd 100644
+--- a/src/history.c
++++ b/src/history.c
+@@ -227,7 +227,7 @@ bool have_statedir(void)
+ 	if (stat(statedir, &dirinfo) == -1) {
+ 		if (xdgdatadir == NULL) {
+ 			char *statepath = concatenate(homedir, "/.local");
+-			mkdir(statepath, S_IRWXU | S_IRWXG | S_IRWXO);
++			mkdir(statepath, S_IRWXU);
+ 			free(statepath);
+ 			statepath = concatenate(homedir, "/.local/share");
+ 			mkdir(statepath, S_IRWXU);
diff -Nru nano-8.4/debian/patches/CVE-2026-6843.patch nano-8.4/debian/patches/CVE-2026-6843.patch
--- nano-8.4/debian/patches/CVE-2026-6843.patch	1970-01-01 01:00:00.000000000 +0100
+++ nano-8.4/debian/patches/CVE-2026-6843.patch	2026-05-04 01:17:06.000000000 +0200
@@ -0,0 +1,30 @@
+commit 0b7328bce452bf1b0bbff81276425d4809a9b6fd
+Author: Benno Schulenberg <[email protected]>
+Date:   Wed Apr 1 11:44:27 2026 +0200
+
+    feedback: prevent interpretation of %s and similar in a filename
+    
+    When a filename contains things that look like format specifiers
+    (%s, %p, %n, ...) and opening this file throws some error and this
+    file is opened together with others, then switching to the relevant
+    buffer would cause the %x parts to be interpreted as actual format
+    specifiers, resulting in the leakage of information, or in a crash,
+    or possibly in arbitrary memory writes.
+    
+    Reported-by: Jonathan Echavarria <[email protected]>
+    Patch-by: Jonathan Echavarria <[email protected]>
+    Signed-off-by: Benno Schulenberg <[email protected]>
+
+diff --git a/src/files.c b/src/files.c
+index ba4b7273e..7ae1389e5 100644
+--- a/src/files.c
++++ b/src/files.c
+@@ -579,7 +579,7 @@ void redecorate_after_switch(void)
+ 	/* If the switched-to buffer gave an error during opening, show the message
+ 	 * once; otherwise, indicate on the status bar which file we switched to. */
+ 	if (openfile->errormessage) {
+-		statusline(ALERT, openfile->errormessage);
++		statusline(ALERT, "%s", openfile->errormessage);
+ 		free(openfile->errormessage);
+ 		openfile->errormessage = NULL;
+ 	} else
diff -Nru nano-8.4/debian/patches/series nano-8.4/debian/patches/series
--- nano-8.4/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ nano-8.4/debian/patches/series	2026-05-04 01:17:06.000000000 +0200
@@ -0,0 +1,2 @@
+CVE-2026-6842.patch
+CVE-2026-6843.patch

--- End Message ---

--- Begin Message ---

Package: release.debian.org
Version: 13.5

This update has been released as part of Debian 13.5.

--- End Message ---

Bug#1135861: marked as done (trixie-pu: package nano/8.4-1+deb13u1)

Reply via email to