import CS nano-5.6.1-6.el9

2024-09-30 16:08:51 +00:00 · 2024-09-30 16:08:51 +00:00 · 85892ccaeb
commit 85892ccaeb
parent 1b7164b5e6
2 changed files with 109 additions and 1 deletions
--- a/SOURCES/nano-5.6.1-emergency-file-replace-vuln.patch
+++ b/SOURCES/nano-5.6.1-emergency-file-replace-vuln.patch
@ -0,0 +1,102 @@
+From 5e7a3c2e7e118c7f12d5dfda9f9140f638976aa2 Mon Sep 17 00:00:00 2001
+From: Benno Schulenberg <bensberg@telfort.nl>
+Date: Sun, 28 Apr 2024 10:51:52 +0200
+Subject: files: run `chmod` and `chown` on the descriptor, not on the filename
+
+This closes a window of opportunity where the emergency file could be
+replaced by a malicious symlink.
+
+The issue was reported by `MartinJM` and `InvisibleMeerkat`.
+
+Problem existed since version 2.2.0, commit 123110c5, when chmodding
+and chowning of the emergency .save file was added.
+
+Cherry-picked-by: Lukáš Zaoral <lzaoral@redhat.com>
+Upstream-commit: 5e7a3c2e7e118c7f12d5dfda9f9140f638976aa2
+
+diff --git a/src/definitions.h b/src/definitions.h
+index af3a793..55d8235 100644
+--- a/src/definitions.h
+++ b/src/definitions.h
+@@ -254,7 +254,7 @@ typedef enum {
+ } message_type;
+ 
+ typedef enum {
+-	OVERWRITE, APPEND, PREPEND
+	OVERWRITE, APPEND, PREPEND, EMERGENCY
+ } kind_of_writing_type;
+ 
+ typedef enum {
+diff --git a/src/files.c b/src/files.c
+index 57c2001..584b579 100644
+--- a/src/files.c
+++ b/src/files.c
+@@ -1751,6 +1751,8 @@ bool write_file(const char *name, FILE *thefile, bool normal,
+ #endif
+ 	char *realname = real_dir_from_tilde(name);
+ 		/* The filename after tilde expansion. */
+	int fd = 0;
+		/* The descriptor that is assigned when opening the file. */
+ 	char *tempname = NULL;
+ 		/* The name of the temporary file we use when prepending. */
+ 	linestruct *line = openfile->filetop;
+@@ -1830,7 +1830,6 @@ bool write_file(const char *name, FILE *thefile, bool normal,
+ 	 * For an emergency file, access is restricted to just the owner. */
+ 	if (thefile == NULL) {
+ 		mode_t permissions = (tmp ? S_IRUSR|S_IWUSR : RW_FOR_ALL);
+-		int fd;
+ 
+ #ifndef NANO_TINY
+ 		block_sigwinch(TRUE);
+@@ -1953,6 +1953,16 @@ bool write_file(const char *name, FILE *thefile, bool normal,
+ 		goto cleanup_and_exit;
+ 	}
+ 
+#ifndef NANO_TINY
+	/* Change permissions and owner of an emergency save file to the values
+	 * of the original file, but ignore any failure as we are in a hurry. */
+	if (method == EMERGENCY && fd && openfile->statinfo) {
+		IGNORE_CALL_RESULT(fchmod(fd, openfile->statinfo->st_mode));
+		IGNORE_CALL_RESULT(fchown(fd, openfile->statinfo->st_uid,
+											openfile->statinfo->st_gid));
+	}
+#endif
+
+ 	if (fclose(thefile) != 0) {
+ 		statusline(ALERT, _("Error writing %s: %s"), realname, strerror(errno));
+ 		goto cleanup_and_exit;
+ 
+diff --git a/src/nano.c b/src/nano.c
+index 90b4a0b..973054f 100644
+--- a/src/nano.c
+++ b/src/nano.c
+@@ -321,25 +321,15 @@ void emergency_save(const char *filename)
+ 	targetname = get_next_filename(plainname, ".save");
+ 
+ 	if (*targetname != '\0')
+-		failed = !write_file(targetname, NULL, TRUE, OVERWRITE, FALSE);
+		failed = !write_file(targetname, NULL, TRUE, EMERGENCY, FALSE);
+ 
+ 	if (!failed)
+ 		fprintf(stderr, _("\nBuffer written to %s\n"), targetname);
+ 	else if (*targetname != '\0')
+ 		fprintf(stderr, _("\nBuffer not written to %s: %s\n"),
+ 										targetname, strerror(errno));
+ 	else
+ 		fprintf(stderr, _("\nToo many .save files"));
+-
+-#ifndef NANO_TINY
+-	/* Try to chmod/chown the saved file to the values of the original file,
+-	 * but ignore any failure as we are in a hurry to get out. */
+-	if (openfile->statinfo) {
+-		IGNORE_CALL_RESULT(chmod(targetname, openfile->statinfo->st_mode));
+-		IGNORE_CALL_RESULT(chown(targetname, openfile->statinfo->st_uid,
+-												openfile->statinfo->st_gid));
+-	}
+-#endif
+ 
+ 	free(targetname);
+ }
+-- 
+cgit v1.1
+
--- a/SPECS/nano.spec
+++ b/SPECS/nano.spec
@ -8,7 +8,7 @@
 Summary:         A small text editor
 Name:            nano
 Version:         5.6.1
-Release:         5%{?dist}
+Release:         6%{?dist}
 License:         GPLv3+
 URL:             https://www.nano-editor.org
 Source:          https://www.nano-editor.org/dist/latest/%{name}-%{version}.tar.xz
@ -19,6 +19,9 @@ Source11:        nano-default-editor.sh
 Source12:        nano-default-editor.csh
 Source13:        nano-default-editor.fish

+# fix emergency file replacement vulnerability (CVE-2024-5742)
+Patch0:          nano-5.6.1-emergency-file-replace-vuln.patch
+
 BuildRequires:   file-devel
 BuildRequires:   gettext-devel
 BuildRequires:   gcc
@ -109,6 +112,9 @@ install -Dpm 0644 %{SOURCE13} %{buildroot}%{_datadir}/fish/vendor_conf.d/%{basen


 %changelog
+* Mon Jul 01 2024 Lukáš Zaoral <lzaoral@redhat.com> - 5.6.1-6
+- fix emergency file replacement vulnerability (RHEL-35237)
+
 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 5.6.1-5
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
  Related: rhbz#1991688