fix properly emergency file replacement vulnerability (CVE-2024-5742)

Resolves: RHEL-35236

nano-2.9.8-emergency-file-replace-vuln.patch

@@ -14,24 +14,34 @@ and chowning of the emergency .save file was added.
 Cherry-picked-by: Lukáš Zaoral <lzaoral@redhat.com>
 Upstream-commit: 5e7a3c2e7e118c7f12d5dfda9f9140f638976aa2
 
-diff --git a/src/nano.h b/src/nano.h
+---
-index af3a793..55d8235 100644
+ src/files.c | 18 +++++++++++++++---
---- a/src/nano.h
+ src/nano.c  | 12 +-----------
-+++ b/src/nano.h
+ src/nano.h  |  2 +-
-@@ -157,7 +157,7 @@ typedef enum {
+ 3 files changed, 17 insertions(+), 15 deletions(-)
- } message_type;
+
- 
- typedef enum {
--	OVERWRITE, APPEND, PREPEND
-+	OVERWRITE, APPEND, PREPEND, EMERGENCY
- } kind_of_writing_type;
- 
- typedef enum {
 diff --git a/src/files.c b/src/files.c
-index 57c2001..584b579 100644
+index 8cdf195..e822068 100644
 --- a/src/files.c
 +++ b/src/files.c
-@@ -1927,7 +1927,19 @@ bool write_file(const char *name, FILE *thefile, bool normal,
+@@ -1551,7 +1551,7 @@ bool write_file(const char *name, FILE *f_open, bool tmp,
+ 		 * set retval and then goto cleanup_and_exit. */
+ 	size_t lineswritten = 0;
+ 	const filestruct *fileptr = openfile->fileage;
+-	int fd;
++	int fd = 0;
+ 		/* The file descriptor we use. */
+ 	mode_t original_umask = 0;
+ 		/* Our umask, from when nano started. */
+@@ -1920,14 +1920,26 @@ bool write_file(const char *name, FILE *f_open, bool tmp,
+ 			goto cleanup_and_exit;
+ 		}
+ 
+-		if (copy_file(f_source, f, TRUE) != 0) {
++		if (copy_file(f_source, f, FALSE) != 0) {
+ 			statusline(ALERT, _("Error writing %s: %s"), realname,
+ 						strerror(errno));
+ 			goto cleanup_and_exit;
  		}
  
  		unlink(tempname);
@@ -53,10 +63,10 @@ index 57c2001..584b579 100644
  						strerror(errno));
  		goto cleanup_and_exit;
 diff --git a/src/nano.c b/src/nano.c
-index 90b4a0b..973054f 100644
+index 79b5450..9b9c468 100644
 --- a/src/nano.c
 +++ b/src/nano.c
-@@ -644,25 +644,15 @@ void emergency_save(const char *filename)
+@@ -644,7 +644,7 @@ void emergency_save(const char *die_filename, struct stat *die_stat)
  	targetname = get_next_filename(die_filename, ".save");
  
  	if (*targetname != '\0')
@@ -65,13 +75,10 @@ index 90b4a0b..973054f 100644
  
  	if (!failed)
  		fprintf(stderr, _("\nBuffer written to %s\n"), targetname);
- 	else if (*targetname != '\0')
+@@ -655,16 +655,6 @@ void emergency_save(const char *die_filename, struct stat *die_stat)
- 		fprintf(stderr, _("\nBuffer not written to %s: %s\n"), targetname,
- 				strerror(errno));
- 	else
  		fprintf(stderr, _("\nBuffer not written: %s\n"),
  				_("Too many backup files?"));
--
+ 
 -#ifndef NANO_TINY
 -	/* Try to chmod/chown the saved file to the values of the original file,
 -	 * but ignore any failure as we are in a hurry to get out. */
@@ -81,9 +88,23 @@ index 90b4a0b..973054f 100644
 -												die_stat->st_gid));
 -	}
 -#endif
- 
+-
  	free(targetname);
  }
+ 
+diff --git a/src/nano.h b/src/nano.h
+index 4fd186a..5e22fb7 100644
+--- a/src/nano.h
++++ b/src/nano.h
+@@ -157,7 +157,7 @@ typedef enum {
+ } message_type;
+ 
+ typedef enum {
+-	OVERWRITE, APPEND, PREPEND
++	OVERWRITE, APPEND, PREPEND, EMERGENCY
+ } kind_of_writing_type;
+ 
+ typedef enum {
 -- 
-cgit v1.1
+2.45.2
 

nano.spec

@@ -1,7 +1,7 @@
 Summary:         A small text editor
 Name:            nano
 Version:         2.9.8
-Release:         2%{?dist}
+Release:         3%{?dist}
 License:         GPLv3+
 URL:             https://www.nano-editor.org
 Source:          https://www.nano-editor.org/dist/v2.9/%{name}-%{version}.tar.gz
@@ -83,6 +83,10 @@ exit 0
 %{_datadir}/nano
 
 %changelog
+* Thu Jul 11 2024 Lukáš Zaoral <lzaoral@redhat.com> - 2.9.8-3
+- fix incomplete backport of the fix for the emergency file replacement
+  vulnerability (RHEL-35236)
+
 * Thu Jul 04 2024 Lukáš Zaoral <lzaoral@redhat.com> - 2.9.8-2
 - fix emergency file replacement vulnerability (RHEL-35236)