fix properly emergency file replacement vulnerability (CVE-2024-5742)

Resolves: RHEL-35236
This commit is contained in:
Lukáš Zaoral 2024-07-11 10:38:23 +02:00
parent 2bc5581c4f
commit 13367d79d6
No known key found for this signature in database
GPG Key ID: 39157506DD67752D
2 changed files with 50 additions and 25 deletions

View File

@ -14,24 +14,34 @@ and chowning of the emergency .save file was added.
Cherry-picked-by: Lukáš Zaoral <lzaoral@redhat.com>
Upstream-commit: 5e7a3c2e7e118c7f12d5dfda9f9140f638976aa2
diff --git a/src/nano.h b/src/nano.h
index af3a793..55d8235 100644
--- a/src/nano.h
+++ b/src/nano.h
@@ -157,7 +157,7 @@ typedef enum {
} message_type;
---
src/files.c | 18 +++++++++++++++---
src/nano.c | 12 +-----------
src/nano.h | 2 +-
3 files changed, 17 insertions(+), 15 deletions(-)
typedef enum {
- OVERWRITE, APPEND, PREPEND
+ OVERWRITE, APPEND, PREPEND, EMERGENCY
} kind_of_writing_type;
typedef enum {
diff --git a/src/files.c b/src/files.c
index 57c2001..584b579 100644
index 8cdf195..e822068 100644
--- a/src/files.c
+++ b/src/files.c
@@ -1927,7 +1927,19 @@ bool write_file(const char *name, FILE *thefile, bool normal,
@@ -1551,7 +1551,7 @@ bool write_file(const char *name, FILE *f_open, bool tmp,
* set retval and then goto cleanup_and_exit. */
size_t lineswritten = 0;
const filestruct *fileptr = openfile->fileage;
- int fd;
+ int fd = 0;
/* The file descriptor we use. */
mode_t original_umask = 0;
/* Our umask, from when nano started. */
@@ -1920,14 +1920,26 @@ bool write_file(const char *name, FILE *f_open, bool tmp,
goto cleanup_and_exit;
}
- if (copy_file(f_source, f, TRUE) != 0) {
+ if (copy_file(f_source, f, FALSE) != 0) {
statusline(ALERT, _("Error writing %s: %s"), realname,
strerror(errno));
goto cleanup_and_exit;
}
unlink(tempname);
@ -53,10 +63,10 @@ index 57c2001..584b579 100644
strerror(errno));
goto cleanup_and_exit;
diff --git a/src/nano.c b/src/nano.c
index 90b4a0b..973054f 100644
index 79b5450..9b9c468 100644
--- a/src/nano.c
+++ b/src/nano.c
@@ -644,25 +644,15 @@ void emergency_save(const char *filename)
@@ -644,7 +644,7 @@ void emergency_save(const char *die_filename, struct stat *die_stat)
targetname = get_next_filename(die_filename, ".save");
if (*targetname != '\0')
@ -65,13 +75,10 @@ index 90b4a0b..973054f 100644
if (!failed)
fprintf(stderr, _("\nBuffer written to %s\n"), targetname);
else if (*targetname != '\0')
fprintf(stderr, _("\nBuffer not written to %s: %s\n"), targetname,
strerror(errno));
else
@@ -655,16 +655,6 @@ void emergency_save(const char *die_filename, struct stat *die_stat)
fprintf(stderr, _("\nBuffer not written: %s\n"),
_("Too many backup files?"));
-
-#ifndef NANO_TINY
- /* Try to chmod/chown the saved file to the values of the original file,
- * but ignore any failure as we are in a hurry to get out. */
@ -81,9 +88,23 @@ index 90b4a0b..973054f 100644
- die_stat->st_gid));
- }
-#endif
-
free(targetname);
}
--
cgit v1.1
diff --git a/src/nano.h b/src/nano.h
index 4fd186a..5e22fb7 100644
--- a/src/nano.h
+++ b/src/nano.h
@@ -157,7 +157,7 @@ typedef enum {
} message_type;
typedef enum {
- OVERWRITE, APPEND, PREPEND
+ OVERWRITE, APPEND, PREPEND, EMERGENCY
} kind_of_writing_type;
typedef enum {
--
2.45.2

View File

@ -1,7 +1,7 @@
Summary: A small text editor
Name: nano
Version: 2.9.8
Release: 2%{?dist}
Release: 3%{?dist}
License: GPLv3+
URL: https://www.nano-editor.org
Source: https://www.nano-editor.org/dist/v2.9/%{name}-%{version}.tar.gz
@ -83,6 +83,10 @@ exit 0
%{_datadir}/nano
%changelog
* Thu Jul 11 2024 Lukáš Zaoral <lzaoral@redhat.com> - 2.9.8-3
- fix incomplete backport of the fix for the emergency file replacement
vulnerability (RHEL-35236)
* Thu Jul 04 2024 Lukáš Zaoral <lzaoral@redhat.com> - 2.9.8-2
- fix emergency file replacement vulnerability (RHEL-35236)