Bug#1073556: marked as done (bullseye-pu: package nano/5.4-2+deb11u3)

To: Jonathan Wiltshire <jmw@coccia.debian.org>
Subject: Bug#1073556: marked as done (bullseye-pu: package nano/5.4-2+deb11u3)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 29 Jun 2024 10:57:59 +0000
Message-id: <[🔎] handler.1073556.D1073556.17196580721197623.ackdone@bugs.debian.org>
Reply-to: 1073556@bugs.debian.org
References: <E1sNVcS-002bth-DV@coccia.debian.org> <[🔎] 171862866712.11660.14722844081092425408.reportbug@localhost>

Your message dated Sat, 29 Jun 2024 10:47:48 +0000
with message-id <E1sNVcS-002bth-DV@coccia.debian.org>
and subject line Released with 11.10
has caused the Debian Bug report #1073556,
regarding bullseye-pu: package nano/5.4-2+deb11u3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1073556: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073556
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: bullseye-pu: package nano/5.4-2+deb11u3
From: Adrian Bunk <bunk@debian.org>
Date: Mon, 17 Jun 2024 15:51:07 +0300
Message-id: <[🔎] 171862866712.11660.14722844081092425408.reportbug@localhost>

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: Jordi Mallach <jordi@debian.org>, security@debian.org

  * CVE-2024-5742: Emergency file symlink attack

For bookworm the pu-fix for this no-dsa CVE is part of #1070702.

diffstat for nano-5.4 nano-5.4

 changelog                                                               |    7 
 patches/0001-files-run-chmod-and-chown-on-the-descriptor-not-on-t.patch |  102 ++++++++++
 patches/series                                                          |    1 
 3 files changed, 110 insertions(+)

diff -Nru nano-5.4/debian/changelog nano-5.4/debian/changelog
--- nano-5.4/debian/changelog	2022-12-02 15:06:48.000000000 +0200
+++ nano-5.4/debian/changelog	2024-06-17 15:31:04.000000000 +0300
@@ -1,3 +1,10 @@
+nano (5.4-2+deb11u3) bullseye; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2024-5742: Emergency file symlink attack
+
+ -- Adrian Bunk <bunk@debian.org>  Mon, 17 Jun 2024 15:31:04 +0300
+
 nano (5.4-2+deb11u2) bullseye; urgency=medium
 
   * The "No a l'ampliació del port" release.
diff -Nru nano-5.4/debian/patches/0001-files-run-chmod-and-chown-on-the-descriptor-not-on-t.patch nano-5.4/debian/patches/0001-files-run-chmod-and-chown-on-the-descriptor-not-on-t.patch
--- nano-5.4/debian/patches/0001-files-run-chmod-and-chown-on-the-descriptor-not-on-t.patch	1970-01-01 02:00:00.000000000 +0200
+++ nano-5.4/debian/patches/0001-files-run-chmod-and-chown-on-the-descriptor-not-on-t.patch	2024-06-17 15:31:04.000000000 +0300
@@ -0,0 +1,102 @@
+From dd7f348fc2e98fd7b6e2b329441aeb428fc424f3 Mon Sep 17 00:00:00 2001
+From: Benno Schulenberg <bensberg@telfort.nl>
+Date: Sun, 28 Apr 2024 10:51:52 +0200
+Subject: files: run `chmod` and `chown` on the descriptor, not on the filename
+
+This closes a window of opportunity where the emergency file could be
+replaced by a malicious symlink.
+
+The issue was reported by `MartinJM` and `InvisibleMeerkat`.
+
+Problem existed since version 2.2.0, commit 123110c5, when chmodding
+and chowning of the emergency .save file was added.
+---
+ src/definitions.h |  2 +-
+ src/files.c       | 13 ++++++++++++-
+ src/nano.c        | 12 +-----------
+ 3 files changed, 14 insertions(+), 13 deletions(-)
+
+diff --git a/src/definitions.h b/src/definitions.h
+index b79a6218..4889ab03 100644
+--- a/src/definitions.h
++++ b/src/definitions.h
+@@ -141,7 +141,7 @@ typedef enum {
+ } message_type;
+ 
+ typedef enum {
+-	OVERWRITE, APPEND, PREPEND
++	OVERWRITE, APPEND, PREPEND, EMERGENCY
+ } kind_of_writing_type;
+ 
+ typedef enum {
+diff --git a/src/files.c b/src/files.c
+index ab9957c9..53e148d1 100644
+--- a/src/files.c
++++ b/src/files.c
+@@ -1732,6 +1732,8 @@ bool write_file(const char *name, FILE *thefile, bool tmp,
+ #endif
+ 	char *realname = real_dir_from_tilde(name);
+ 		/* The filename after tilde expansion. */
++	int fd = 0;
++		/* The descriptor that is assigned when opening the file. */
+ 	char *tempname = NULL;
+ 		/* The name of the temporary file we use when prepending. */
+ 	linestruct *line = openfile->filetop;
+@@ -1810,7 +1812,6 @@ bool write_file(const char *name, FILE *thefile, bool tmp,
+ 	 * For an emergency file, access is restricted to just the owner. */
+ 	if (thefile == NULL) {
+ 		mode_t permissions = (tmp ? S_IRUSR|S_IWUSR : RW_FOR_ALL);
+-		int fd;
+ 
+ #ifndef NANO_TINY
+ 		block_sigwinch(TRUE);
+@@ -1937,6 +1938,16 @@ bool write_file(const char *name, FILE *thefile, bool tmp,
+ 	}
+ #endif
+ 
++#ifndef NANO_TINY
++	/* Change permissions and owner of an emergency save file to the values
++	 * of the original file, but ignore any failure as we are in a hurry. */
++	if (method == EMERGENCY && fd && openfile->statinfo) {
++		IGNORE_CALL_RESULT(fchmod(fd, openfile->statinfo->st_mode));
++		IGNORE_CALL_RESULT(fchown(fd, openfile->statinfo->st_uid,
++											openfile->statinfo->st_gid));
++	}
++#endif
++
+ 	if (fclose(thefile) != 0) {
+ 		statusline(ALERT, _("Error writing %s: %s"), realname, strerror(errno));
+ 		goto cleanup_and_exit;
+diff --git a/src/nano.c b/src/nano.c
+index 521c4a03..76f0f879 100644
+--- a/src/nano.c
++++ b/src/nano.c
+@@ -328,7 +328,7 @@ void emergency_save(const char *plainname)
+ 	targetname = get_next_filename(plainname, ".save");
+ 
+ 	if (*targetname != '\0')
+-		failed = !write_file(targetname, NULL, TRUE, OVERWRITE, FALSE);
++		failed = !write_file(targetname, NULL, TRUE, EMERGENCY, FALSE);
+ 
+ 	if (!failed)
+ 		fprintf(stderr, _("\nBuffer written to %s\n"), targetname);
+@@ -338,16 +338,6 @@ void emergency_save(const char *plainname)
+ 	else
+ 		fprintf(stderr, _("\nToo many .save files"));
+ 
+-#ifndef NANO_TINY
+-	/* Try to chmod/chown the saved file to the values of the original file,
+-	 * but ignore any failure as we are in a hurry to get out. */
+-	if (openfile->statinfo) {
+-		IGNORE_CALL_RESULT(chmod(targetname, openfile->statinfo->st_mode));
+-		IGNORE_CALL_RESULT(chown(targetname, openfile->statinfo->st_uid,
+-												openfile->statinfo->st_gid));
+-	}
+-#endif
+-
+ 	free(targetname);
+ }
+ 
+-- 
+2.30.2
+
diff -Nru nano-5.4/debian/patches/series nano-5.4/debian/patches/series
--- nano-5.4/debian/patches/series	2022-12-02 14:43:25.000000000 +0200
+++ nano-5.4/debian/patches/series	2024-06-17 15:31:04.000000000 +0300
@@ -36,3 +36,4 @@
 0036-input-ensure-that-no-more-bytes-are-consumed-than-ar.patch
 0037-execute-don-t-crash-when-an-empty-buffer-is-piped-th.patch
 0038-text-upon-Enter-eat-only-lefthand-blanks-not-any-oth.patch
+0001-files-run-chmod-and-chown-on-the-descriptor-not-on-t.patch

--- End Message ---

--- Begin Message ---

To: 1073556-done@bugs.debian.org

Subject: Released with 11.10

From: Jonathan Wiltshire <jmw@coccia.debian.org>

Date: Sat, 29 Jun 2024 10:47:48 +0000

Message-id: <E1sNVcS-002bth-DV@coccia.debian.org>
Version: 11.10

The upload requested in this bug has been released as part of 11.10.
--- End Message ---

Reply to:

References:
- Bug#1073556: bullseye-pu: package nano/5.4-2+deb11u3
  - From: Adrian Bunk <bunk@debian.org>

Prev by Date: Bug#1073524: marked as done (bookworm-pu: package pymongo/3.11.0-1+deb12u1)
Next by Date: Bug#1073817: marked as done (bookworm-pu: package nvidia-open-gpu-kernel-modules/535.183.01-1~deb12u1)
Previous by thread: Processed: nano 5.4-2+deb11u3 flagged for acceptance
Next by thread: Bug#1050588: nsis 3.08-3+deb12u1 flagged for acceptance
Index(es):
- Date
- Thread