Bug#1073556: marked as done (bullseye-pu: package nano/5.4-2+deb11u3)

Debian Bug Tracking System Sat, 29 Jun 2024 04:21:02 -0700

Your message dated Sat, 29 Jun 2024 10:47:48 +0000
with message-id <e1snvcs-002bth...@coccia.debian.org>
and subject line Released with 11.10
has caused the Debian Bug report #1073556,
regarding bullseye-pu: package nano/5.4-2+deb11u3
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1073556: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073556
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: Jordi Mallach <jo...@debian.org>, secur...@debian.org

  * CVE-2024-5742: Emergency file symlink attack

For bookworm the pu-fix for this no-dsa CVE is part of #1070702.

diffstat for nano-5.4 nano-5.4

 changelog                                                               |    7 
 patches/0001-files-run-chmod-and-chown-on-the-descriptor-not-on-t.patch |  102 
++++++++++
 patches/series                                                          |    1 
 3 files changed, 110 insertions(+)

diff -Nru nano-5.4/debian/changelog nano-5.4/debian/changelog
--- nano-5.4/debian/changelog   2022-12-02 15:06:48.000000000 +0200
+++ nano-5.4/debian/changelog   2024-06-17 15:31:04.000000000 +0300
@@ -1,3 +1,10 @@
+nano (5.4-2+deb11u3) bullseye; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2024-5742: Emergency file symlink attack
+
+ -- Adrian Bunk <b...@debian.org>  Mon, 17 Jun 2024 15:31:04 +0300
+
 nano (5.4-2+deb11u2) bullseye; urgency=medium
 
   * The "No a l'ampliació del port" release.
diff -Nru 
nano-5.4/debian/patches/0001-files-run-chmod-and-chown-on-the-descriptor-not-on-t.patch
 
nano-5.4/debian/patches/0001-files-run-chmod-and-chown-on-the-descriptor-not-on-t.patch
--- 
nano-5.4/debian/patches/0001-files-run-chmod-and-chown-on-the-descriptor-not-on-t.patch
     1970-01-01 02:00:00.000000000 +0200
+++ 
nano-5.4/debian/patches/0001-files-run-chmod-and-chown-on-the-descriptor-not-on-t.patch
     2024-06-17 15:31:04.000000000 +0300
@@ -0,0 +1,102 @@
+From dd7f348fc2e98fd7b6e2b329441aeb428fc424f3 Mon Sep 17 00:00:00 2001
+From: Benno Schulenberg <bensb...@telfort.nl>
+Date: Sun, 28 Apr 2024 10:51:52 +0200
+Subject: files: run `chmod` and `chown` on the descriptor, not on the filename
+
+This closes a window of opportunity where the emergency file could be
+replaced by a malicious symlink.
+
+The issue was reported by `MartinJM` and `InvisibleMeerkat`.
+
+Problem existed since version 2.2.0, commit 123110c5, when chmodding
+and chowning of the emergency .save file was added.
+---
+ src/definitions.h |  2 +-
+ src/files.c       | 13 ++++++++++++-
+ src/nano.c        | 12 +-----------
+ 3 files changed, 14 insertions(+), 13 deletions(-)
+
+diff --git a/src/definitions.h b/src/definitions.h
+index b79a6218..4889ab03 100644
+--- a/src/definitions.h
++++ b/src/definitions.h
+@@ -141,7 +141,7 @@ typedef enum {
+ } message_type;
+ 
+ typedef enum {
+-      OVERWRITE, APPEND, PREPEND
++      OVERWRITE, APPEND, PREPEND, EMERGENCY
+ } kind_of_writing_type;
+ 
+ typedef enum {
+diff --git a/src/files.c b/src/files.c
+index ab9957c9..53e148d1 100644
+--- a/src/files.c
++++ b/src/files.c
+@@ -1732,6 +1732,8 @@ bool write_file(const char *name, FILE *thefile, bool 
tmp,
+ #endif
+       char *realname = real_dir_from_tilde(name);
+               /* The filename after tilde expansion. */
++      int fd = 0;
++              /* The descriptor that is assigned when opening the file. */
+       char *tempname = NULL;
+               /* The name of the temporary file we use when prepending. */
+       linestruct *line = openfile->filetop;
+@@ -1810,7 +1812,6 @@ bool write_file(const char *name, FILE *thefile, bool 
tmp,
+        * For an emergency file, access is restricted to just the owner. */
+       if (thefile == NULL) {
+               mode_t permissions = (tmp ? S_IRUSR|S_IWUSR : RW_FOR_ALL);
+-              int fd;
+ 
+ #ifndef NANO_TINY
+               block_sigwinch(TRUE);
+@@ -1937,6 +1938,16 @@ bool write_file(const char *name, FILE *thefile, bool 
tmp,
+       }
+ #endif
+ 
++#ifndef NANO_TINY
++      /* Change permissions and owner of an emergency save file to the values
++       * of the original file, but ignore any failure as we are in a hurry. */
++      if (method == EMERGENCY && fd && openfile->statinfo) {
++              IGNORE_CALL_RESULT(fchmod(fd, openfile->statinfo->st_mode));
++              IGNORE_CALL_RESULT(fchown(fd, openfile->statinfo->st_uid,
++                                                                              
        openfile->statinfo->st_gid));
++      }
++#endif
++
+       if (fclose(thefile) != 0) {
+               statusline(ALERT, _("Error writing %s: %s"), realname, 
strerror(errno));
+               goto cleanup_and_exit;
+diff --git a/src/nano.c b/src/nano.c
+index 521c4a03..76f0f879 100644
+--- a/src/nano.c
++++ b/src/nano.c
+@@ -328,7 +328,7 @@ void emergency_save(const char *plainname)
+       targetname = get_next_filename(plainname, ".save");
+ 
+       if (*targetname != '\0')
+-              failed = !write_file(targetname, NULL, TRUE, OVERWRITE, FALSE);
++              failed = !write_file(targetname, NULL, TRUE, EMERGENCY, FALSE);
+ 
+       if (!failed)
+               fprintf(stderr, _("\nBuffer written to %s\n"), targetname);
+@@ -338,16 +338,6 @@ void emergency_save(const char *plainname)
+       else
+               fprintf(stderr, _("\nToo many .save files"));
+ 
+-#ifndef NANO_TINY
+-      /* Try to chmod/chown the saved file to the values of the original file,
+-       * but ignore any failure as we are in a hurry to get out. */
+-      if (openfile->statinfo) {
+-              IGNORE_CALL_RESULT(chmod(targetname, 
openfile->statinfo->st_mode));
+-              IGNORE_CALL_RESULT(chown(targetname, openfile->statinfo->st_uid,
+-                                                                              
                openfile->statinfo->st_gid));
+-      }
+-#endif
+-
+       free(targetname);
+ }
+ 
+-- 
+2.30.2
+
diff -Nru nano-5.4/debian/patches/series nano-5.4/debian/patches/series
--- nano-5.4/debian/patches/series      2022-12-02 14:43:25.000000000 +0200
+++ nano-5.4/debian/patches/series      2024-06-17 15:31:04.000000000 +0300
@@ -36,3 +36,4 @@
 0036-input-ensure-that-no-more-bytes-are-consumed-than-ar.patch
 0037-execute-don-t-crash-when-an-empty-buffer-is-piped-th.patch
 0038-text-upon-Enter-eat-only-lefthand-blanks-not-any-oth.patch
+0001-files-run-chmod-and-chown-on-the-descriptor-not-on-t.patch

--- End Message ---

--- Begin Message ---
Version: 11.10

The upload requested in this bug has been released as part of 11.10.
--- End Message ---

Bug#1073556: marked as done (bullseye-pu: package nano/5.4-2+deb11u3)

Reply via email to