fix emergency file replacement vulnerability (CVE-2024-5742)

Resolves: RHEL-35236

nano-2.9.8-emergency-file-replace-vuln.patch

@@ -0,0 +1,89 @@
+From 5e7a3c2e7e118c7f12d5dfda9f9140f638976aa2 Mon Sep 17 00:00:00 2001
+From: Benno Schulenberg <bensberg@telfort.nl>
+Date: Sun, 28 Apr 2024 10:51:52 +0200
+Subject: files: run `chmod` and `chown` on the descriptor, not on the filename
+
+This closes a window of opportunity where the emergency file could be
+replaced by a malicious symlink.
+
+The issue was reported by `MartinJM` and `InvisibleMeerkat`.
+
+Problem existed since version 2.2.0, commit 123110c5, when chmodding
+and chowning of the emergency .save file was added.
+
+Cherry-picked-by: Lukáš Zaoral <lzaoral@redhat.com>
+Upstream-commit: 5e7a3c2e7e118c7f12d5dfda9f9140f638976aa2
+
+diff --git a/src/nano.h b/src/nano.h
+index af3a793..55d8235 100644
+--- a/src/nano.h
++++ b/src/nano.h
+@@ -157,7 +157,7 @@ typedef enum {
+ } message_type;
+ 
+ typedef enum {
+-	OVERWRITE, APPEND, PREPEND
++	OVERWRITE, APPEND, PREPEND, EMERGENCY
+ } kind_of_writing_type;
+ 
+ typedef enum {
+diff --git a/src/files.c b/src/files.c
+index 57c2001..584b579 100644
+--- a/src/files.c
++++ b/src/files.c
+@@ -1927,7 +1927,19 @@ bool write_file(const char *name, FILE *thefile, bool normal,
+ 		}
+ 
+ 		unlink(tempname);
+-	} else if (fclose(f) != 0) {
++	}
++
++#ifndef NANO_TINY
++	/* Change permissions and owner of an emergency save file to the values
++	 * of the original file, but ignore any failure as we are in a hurry. */
++	if (method == EMERGENCY && fd && openfile->current_stat) {
++		IGNORE_CALL_RESULT(fchmod(fd, openfile->current_stat->st_mode));
++		IGNORE_CALL_RESULT(fchown(fd, openfile->current_stat->st_uid,
++											openfile->current_stat->st_gid));
++	}
++#endif
++
++	if (fclose(f) != 0) {
+ 		statusline(ALERT, _("Error writing %s: %s"), realname,
+ 						strerror(errno));
+ 		goto cleanup_and_exit;
+diff --git a/src/nano.c b/src/nano.c
+index 90b4a0b..973054f 100644
+--- a/src/nano.c
++++ b/src/nano.c
+@@ -644,25 +644,15 @@ void emergency_save(const char *filename)
+ 	targetname = get_next_filename(die_filename, ".save");
+ 
+ 	if (*targetname != '\0')
+-		failed = !write_file(targetname, NULL, TRUE, OVERWRITE, FALSE);
++		failed = !write_file(targetname, NULL, TRUE, EMERGENCY, FALSE);
+ 
+ 	if (!failed)
+ 		fprintf(stderr, _("\nBuffer written to %s\n"), targetname);
+ 	else if (*targetname != '\0')
+ 		fprintf(stderr, _("\nBuffer not written to %s: %s\n"), targetname,
+ 				strerror(errno));
+ 	else
+ 		fprintf(stderr, _("\nBuffer not written: %s\n"),
+ 				_("Too many backup files?"));
+-
+-#ifndef NANO_TINY
+-	/* Try to chmod/chown the saved file to the values of the original file,
+-	 * but ignore any failure as we are in a hurry to get out. */
+-	if (die_stat) {
+-		IGNORE_CALL_RESULT(chmod(targetname, die_stat->st_mode));
+-		IGNORE_CALL_RESULT(chown(targetname, die_stat->st_uid,
+-												die_stat->st_gid));
+-	}
+-#endif
+ 
+ 	free(targetname);
+ }
+-- 
+cgit v1.1
+

nano.spec

@@ -1,12 +1,15 @@
 Summary:         A small text editor
 Name:            nano
 Version:         2.9.8
-Release:         1%{?dist}
+Release:         2%{?dist}
 License:         GPLv3+
 URL:             https://www.nano-editor.org
 Source:          https://www.nano-editor.org/dist/v2.9/%{name}-%{version}.tar.gz
 Source2:         nanorc
 
+# fix emergency file replacement vulnerability (CVE-2024-5742)
+Patch0:          nano-2.9.8-emergency-file-replace-vuln.patch
+
 BuildRequires:   file-devel
 BuildRequires:   gettext-devel
 BuildRequires:   gcc
@@ -80,6 +83,9 @@ exit 0
 %{_datadir}/nano
 
 %changelog
+* Thu Jul 04 2024 Lukáš Zaoral <lzaoral@redhat.com> - 2.9.8-2
+- fix emergency file replacement vulnerability (RHEL-35236)
+
 * Mon Jun 04 2018 Kamil Dudka <kdudka@redhat.com> - 2.9.8-1
 - new upstream release