rpms/nano
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import CS nano-5.6.1-6.el9

Browse Source
This commit is contained in:
eabdullin 2024-09-30 16:08:51 +00:00
parent 1b7164b5e6
commit 85892ccaeb
2 changed files with 109 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

102
SOURCES/nano-5.6.1-emergency-file-replace-vuln.patch Normal file
View File

@ -0,0 +1,102 @@
From 5e7a3c2e7e118c7f12d5dfda9f9140f638976aa2 Mon Sep 17 00:00:00 2001
From: Benno Schulenberg <bensberg@telfort.nl>
Date: Sun, 28 Apr 2024 10:51:52 +0200
Subject: files: run `chmod` and `chown` on the descriptor, not on the filename
This closes a window of opportunity where the emergency file could be
replaced by a malicious symlink.
The issue was reported by `MartinJM` and `InvisibleMeerkat`.
Problem existed since version 2.2.0, commit 123110c5, when chmodding
and chowning of the emergency .save file was added.
Cherry-picked-by: Lukáš Zaoral <lzaoral@redhat.com>
Upstream-commit: 5e7a3c2e7e118c7f12d5dfda9f9140f638976aa2
diff --git a/src/definitions.h b/src/definitions.h
index af3a793..55d8235 100644
--- a/src/definitions.h
+++ b/src/definitions.h
@@ -254,7 +254,7 @@ typedef enum {
} message_type;
typedef enum {
- OVERWRITE, APPEND, PREPEND
+ OVERWRITE, APPEND, PREPEND, EMERGENCY
} kind_of_writing_type;
typedef enum {
diff --git a/src/files.c b/src/files.c
index 57c2001..584b579 100644
--- a/src/files.c
+++ b/src/files.c
@@ -1751,6 +1751,8 @@ bool write_file(const char *name, FILE *thefile, bool normal,
#endif
char *realname = real_dir_from_tilde(name);
/* The filename after tilde expansion. */
+ int fd = 0;
+ /* The descriptor that is assigned when opening the file. */
char *tempname = NULL;
/* The name of the temporary file we use when prepending. */
linestruct *line = openfile->filetop;
@@ -1830,7 +1830,6 @@ bool write_file(const char *name, FILE *thefile, bool normal,
* For an emergency file, access is restricted to just the owner. */
if (thefile == NULL) {
mode_t permissions = (tmp ? S_IRUSR|S_IWUSR : RW_FOR_ALL);
- int fd;
#ifndef NANO_TINY
block_sigwinch(TRUE);
@@ -1953,6 +1953,16 @@ bool write_file(const char *name, FILE *thefile, bool normal,
goto cleanup_and_exit;
}
+#ifndef NANO_TINY
+ /* Change permissions and owner of an emergency save file to the values
+ * of the original file, but ignore any failure as we are in a hurry. */
+ if (method == EMERGENCY && fd && openfile->statinfo) {
+ IGNORE_CALL_RESULT(fchmod(fd, openfile->statinfo->st_mode));
+ IGNORE_CALL_RESULT(fchown(fd, openfile->statinfo->st_uid,
+ openfile->statinfo->st_gid));
+ }
+#endif
+
if (fclose(thefile) != 0) {
statusline(ALERT, _("Error writing %s: %s"), realname, strerror(errno));
goto cleanup_and_exit;
diff --git a/src/nano.c b/src/nano.c
index 90b4a0b..973054f 100644
--- a/src/nano.c
+++ b/src/nano.c
@@ -321,25 +321,15 @@ void emergency_save(const char *filename)
targetname = get_next_filename(plainname, ".save");
if (*targetname != '\0')
- failed = !write_file(targetname, NULL, TRUE, OVERWRITE, FALSE);
+ failed = !write_file(targetname, NULL, TRUE, EMERGENCY, FALSE);
if (!failed)
fprintf(stderr, _("\nBuffer written to %s\n"), targetname);
else if (*targetname != '\0')
fprintf(stderr, _("\nBuffer not written to %s: %s\n"),
targetname, strerror(errno));
else
fprintf(stderr, _("\nToo many .save files"));
-
-#ifndef NANO_TINY
- /* Try to chmod/chown the saved file to the values of the original file,
- * but ignore any failure as we are in a hurry to get out. */
- if (openfile->statinfo) {
- IGNORE_CALL_RESULT(chmod(targetname, openfile->statinfo->st_mode));
- IGNORE_CALL_RESULT(chown(targetname, openfile->statinfo->st_uid,
- openfile->statinfo->st_gid));
- }
-#endif
free(targetname);
}
--
cgit v1.1

8
SPECS/nano.spec
View File

@ -8,7 +8,7 @@
Summary: A small text editor Summary: A small text editor
Name: nano Name: nano
Version: 5.6.1 Version: 5.6.1
Release: 5%{?dist} Release: 6%{?dist}
License: GPLv3+ License: GPLv3+
URL: https://www.nano-editor.org URL: https://www.nano-editor.org
Source: https://www.nano-editor.org/dist/latest/%{name}-%{version}.tar.xz Source: https://www.nano-editor.org/dist/latest/%{name}-%{version}.tar.xz
@ -19,6 +19,9 @@ Source11: nano-default-editor.sh
Source12: nano-default-editor.csh Source12: nano-default-editor.csh
Source13: nano-default-editor.fish Source13: nano-default-editor.fish
# fix emergency file replacement vulnerability (CVE-2024-5742)
Patch0: nano-5.6.1-emergency-file-replace-vuln.patch
BuildRequires: file-devel BuildRequires: file-devel
BuildRequires: gettext-devel BuildRequires: gettext-devel
BuildRequires: gcc BuildRequires: gcc
@ -109,6 +112,9 @@ install -Dpm 0644 %{SOURCE13} %{buildroot}%{_datadir}/fish/vendor_conf.d/%{basen
%changelog %changelog
* Mon Jul 01 2024 Lukáš Zaoral <lzaoral@redhat.com> - 5.6.1-6
- fix emergency file replacement vulnerability (RHEL-35237)
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 5.6.1-5 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 5.6.1-5
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688 Related: rhbz#1991688