Bug#1073556: bullseye-pu: package nano/5.4-2+deb11u3
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: Jordi Mallach <jordi@debian.org>, security@debian.org
* CVE-2024-5742: Emergency file symlink attack
For bookworm the pu-fix for this no-dsa CVE is part of #1070702.
diffstat for nano-5.4 nano-5.4
changelog | 7
patches/0001-files-run-chmod-and-chown-on-the-descriptor-not-on-t.patch | 102 ++++++++++
patches/series | 1
3 files changed, 110 insertions(+)
diff -Nru nano-5.4/debian/changelog nano-5.4/debian/changelog
--- nano-5.4/debian/changelog 2022-12-02 15:06:48.000000000 +0200
+++ nano-5.4/debian/changelog 2024-06-17 15:31:04.000000000 +0300
@@ -1,3 +1,10 @@
+nano (5.4-2+deb11u3) bullseye; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2024-5742: Emergency file symlink attack
+
+ -- Adrian Bunk <bunk@debian.org> Mon, 17 Jun 2024 15:31:04 +0300
+
nano (5.4-2+deb11u2) bullseye; urgency=medium
* The "No a l'ampliació del port" release.
diff -Nru nano-5.4/debian/patches/0001-files-run-chmod-and-chown-on-the-descriptor-not-on-t.patch nano-5.4/debian/patches/0001-files-run-chmod-and-chown-on-the-descriptor-not-on-t.patch
--- nano-5.4/debian/patches/0001-files-run-chmod-and-chown-on-the-descriptor-not-on-t.patch 1970-01-01 02:00:00.000000000 +0200
+++ nano-5.4/debian/patches/0001-files-run-chmod-and-chown-on-the-descriptor-not-on-t.patch 2024-06-17 15:31:04.000000000 +0300
@@ -0,0 +1,102 @@
+From dd7f348fc2e98fd7b6e2b329441aeb428fc424f3 Mon Sep 17 00:00:00 2001
+From: Benno Schulenberg <bensberg@telfort.nl>
+Date: Sun, 28 Apr 2024 10:51:52 +0200
+Subject: files: run `chmod` and `chown` on the descriptor, not on the filename
+
+This closes a window of opportunity where the emergency file could be
+replaced by a malicious symlink.
+
+The issue was reported by `MartinJM` and `InvisibleMeerkat`.
+
+Problem existed since version 2.2.0, commit 123110c5, when chmodding
+and chowning of the emergency .save file was added.
+---
+ src/definitions.h | 2 +-
+ src/files.c | 13 ++++++++++++-
+ src/nano.c | 12 +-----------
+ 3 files changed, 14 insertions(+), 13 deletions(-)
+
+diff --git a/src/definitions.h b/src/definitions.h
+index b79a6218..4889ab03 100644
+--- a/src/definitions.h
++++ b/src/definitions.h
+@@ -141,7 +141,7 @@ typedef enum {
+ } message_type;
+
+ typedef enum {
+- OVERWRITE, APPEND, PREPEND
++ OVERWRITE, APPEND, PREPEND, EMERGENCY
+ } kind_of_writing_type;
+
+ typedef enum {
+diff --git a/src/files.c b/src/files.c
+index ab9957c9..53e148d1 100644
+--- a/src/files.c
++++ b/src/files.c
+@@ -1732,6 +1732,8 @@ bool write_file(const char *name, FILE *thefile, bool tmp,
+ #endif
+ char *realname = real_dir_from_tilde(name);
+ /* The filename after tilde expansion. */
++ int fd = 0;
++ /* The descriptor that is assigned when opening the file. */
+ char *tempname = NULL;
+ /* The name of the temporary file we use when prepending. */
+ linestruct *line = openfile->filetop;
+@@ -1810,7 +1812,6 @@ bool write_file(const char *name, FILE *thefile, bool tmp,
+ * For an emergency file, access is restricted to just the owner. */
+ if (thefile == NULL) {
+ mode_t permissions = (tmp ? S_IRUSR|S_IWUSR : RW_FOR_ALL);
+- int fd;
+
+ #ifndef NANO_TINY
+ block_sigwinch(TRUE);
+@@ -1937,6 +1938,16 @@ bool write_file(const char *name, FILE *thefile, bool tmp,
+ }
+ #endif
+
++#ifndef NANO_TINY
++ /* Change permissions and owner of an emergency save file to the values
++ * of the original file, but ignore any failure as we are in a hurry. */
++ if (method == EMERGENCY && fd && openfile->statinfo) {
++ IGNORE_CALL_RESULT(fchmod(fd, openfile->statinfo->st_mode));
++ IGNORE_CALL_RESULT(fchown(fd, openfile->statinfo->st_uid,
++ openfile->statinfo->st_gid));
++ }
++#endif
++
+ if (fclose(thefile) != 0) {
+ statusline(ALERT, _("Error writing %s: %s"), realname, strerror(errno));
+ goto cleanup_and_exit;
+diff --git a/src/nano.c b/src/nano.c
+index 521c4a03..76f0f879 100644
+--- a/src/nano.c
++++ b/src/nano.c
+@@ -328,7 +328,7 @@ void emergency_save(const char *plainname)
+ targetname = get_next_filename(plainname, ".save");
+
+ if (*targetname != '\0')
+- failed = !write_file(targetname, NULL, TRUE, OVERWRITE, FALSE);
++ failed = !write_file(targetname, NULL, TRUE, EMERGENCY, FALSE);
+
+ if (!failed)
+ fprintf(stderr, _("\nBuffer written to %s\n"), targetname);
+@@ -338,16 +338,6 @@ void emergency_save(const char *plainname)
+ else
+ fprintf(stderr, _("\nToo many .save files"));
+
+-#ifndef NANO_TINY
+- /* Try to chmod/chown the saved file to the values of the original file,
+- * but ignore any failure as we are in a hurry to get out. */
+- if (openfile->statinfo) {
+- IGNORE_CALL_RESULT(chmod(targetname, openfile->statinfo->st_mode));
+- IGNORE_CALL_RESULT(chown(targetname, openfile->statinfo->st_uid,
+- openfile->statinfo->st_gid));
+- }
+-#endif
+-
+ free(targetname);
+ }
+
+--
+2.30.2
+
diff -Nru nano-5.4/debian/patches/series nano-5.4/debian/patches/series
--- nano-5.4/debian/patches/series 2022-12-02 14:43:25.000000000 +0200
+++ nano-5.4/debian/patches/series 2024-06-17 15:31:04.000000000 +0300
@@ -36,3 +36,4 @@
0036-input-ensure-that-no-more-bytes-are-consumed-than-ar.patch
0037-execute-don-t-crash-when-an-empty-buffer-is-piped-th.patch
0038-text-upon-Enter-eat-only-lefthand-blanks-not-any-oth.patch
+0001-files-run-chmod-and-chown-on-the-descriptor-not-on-t.patch
Reply to: