From 13367d79d6c2cf916418e26b9db2a30e86e1a2df Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Zaoral?= Date: Thu, 11 Jul 2024 10:38:23 +0200 Subject: [PATCH] fix properly emergency file replacement vulnerability (CVE-2024-5742) Resolves: RHEL-35236 --- nano-2.9.8-emergency-file-replace-vuln.patch | 69 +++++++++++++------- nano.spec | 6 +- 2 files changed, 50 insertions(+), 25 deletions(-) diff --git a/nano-2.9.8-emergency-file-replace-vuln.patch b/nano-2.9.8-emergency-file-replace-vuln.patch index 4536cff..7d8499a 100644 --- a/nano-2.9.8-emergency-file-replace-vuln.patch +++ b/nano-2.9.8-emergency-file-replace-vuln.patch @@ -14,24 +14,34 @@ and chowning of the emergency .save file was added. Cherry-picked-by: Lukáš Zaoral Upstream-commit: 5e7a3c2e7e118c7f12d5dfda9f9140f638976aa2 -diff --git a/src/nano.h b/src/nano.h -index af3a793..55d8235 100644 ---- a/src/nano.h -+++ b/src/nano.h -@@ -157,7 +157,7 @@ typedef enum { - } message_type; - - typedef enum { -- OVERWRITE, APPEND, PREPEND -+ OVERWRITE, APPEND, PREPEND, EMERGENCY - } kind_of_writing_type; - - typedef enum { +--- + src/files.c | 18 +++++++++++++++--- + src/nano.c | 12 +----------- + src/nano.h | 2 +- + 3 files changed, 17 insertions(+), 15 deletions(-) + diff --git a/src/files.c b/src/files.c -index 57c2001..584b579 100644 +index 8cdf195..e822068 100644 --- a/src/files.c +++ b/src/files.c -@@ -1927,7 +1927,19 @@ bool write_file(const char *name, FILE *thefile, bool normal, +@@ -1551,7 +1551,7 @@ bool write_file(const char *name, FILE *f_open, bool tmp, + * set retval and then goto cleanup_and_exit. */ + size_t lineswritten = 0; + const filestruct *fileptr = openfile->fileage; +- int fd; ++ int fd = 0; + /* The file descriptor we use. */ + mode_t original_umask = 0; + /* Our umask, from when nano started. */ +@@ -1920,14 +1920,26 @@ bool write_file(const char *name, FILE *f_open, bool tmp, + goto cleanup_and_exit; + } + +- if (copy_file(f_source, f, TRUE) != 0) { ++ if (copy_file(f_source, f, FALSE) != 0) { + statusline(ALERT, _("Error writing %s: %s"), realname, + strerror(errno)); + goto cleanup_and_exit; } unlink(tempname); @@ -53,10 +63,10 @@ index 57c2001..584b579 100644 strerror(errno)); goto cleanup_and_exit; diff --git a/src/nano.c b/src/nano.c -index 90b4a0b..973054f 100644 +index 79b5450..9b9c468 100644 --- a/src/nano.c +++ b/src/nano.c -@@ -644,25 +644,15 @@ void emergency_save(const char *filename) +@@ -644,7 +644,7 @@ void emergency_save(const char *die_filename, struct stat *die_stat) targetname = get_next_filename(die_filename, ".save"); if (*targetname != '\0') @@ -65,13 +75,10 @@ index 90b4a0b..973054f 100644 if (!failed) fprintf(stderr, _("\nBuffer written to %s\n"), targetname); - else if (*targetname != '\0') - fprintf(stderr, _("\nBuffer not written to %s: %s\n"), targetname, - strerror(errno)); - else +@@ -655,16 +655,6 @@ void emergency_save(const char *die_filename, struct stat *die_stat) fprintf(stderr, _("\nBuffer not written: %s\n"), _("Too many backup files?")); -- + -#ifndef NANO_TINY - /* Try to chmod/chown the saved file to the values of the original file, - * but ignore any failure as we are in a hurry to get out. */ @@ -81,9 +88,23 @@ index 90b4a0b..973054f 100644 - die_stat->st_gid)); - } -#endif - +- free(targetname); } + +diff --git a/src/nano.h b/src/nano.h +index 4fd186a..5e22fb7 100644 +--- a/src/nano.h ++++ b/src/nano.h +@@ -157,7 +157,7 @@ typedef enum { + } message_type; + + typedef enum { +- OVERWRITE, APPEND, PREPEND ++ OVERWRITE, APPEND, PREPEND, EMERGENCY + } kind_of_writing_type; + + typedef enum { -- -cgit v1.1 +2.45.2 diff --git a/nano.spec b/nano.spec index 219af4a..7b130ec 100644 --- a/nano.spec +++ b/nano.spec @@ -1,7 +1,7 @@ Summary: A small text editor Name: nano Version: 2.9.8 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv3+ URL: https://www.nano-editor.org Source: https://www.nano-editor.org/dist/v2.9/%{name}-%{version}.tar.gz @@ -83,6 +83,10 @@ exit 0 %{_datadir}/nano %changelog +* Thu Jul 11 2024 Lukáš Zaoral - 2.9.8-3 +- fix incomplete backport of the fix for the emergency file replacement + vulnerability (RHEL-35236) + * Thu Jul 04 2024 Lukáš Zaoral - 2.9.8-2 - fix emergency file replacement vulnerability (RHEL-35236)