Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected] Control: affects -1 + src:nano User: [email protected] Usertags: pu
Hi, I'd like to have a nano update in the next point release, to fix two low impact CVEs. The fixes are already in unstable and forky, and are straight-forward and one-liner. [ Reason ] carnil contacted me to propose this update for the next point release, and I have prepared it. The security issues are not urgent or critical, but would be good to have fixes for outside the security update channel. [ Impact ] 2 security issues will remain unfixed in nano in trixie: - a string format string vuln, exploitable via the internal file browser - a window to get ~/.local created with permissive permissions, enabling further exploits eg via malicious desktop files [ Tests ] Manually tested a build. [ Risks ] Close to none, the trees haven't diverged that much and the fixes are really straight forward. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] - Add two patches and a series file - Adjust gbp.conf for the new branch [ Other info ] This is in coordination with Salvatore Bonaccorso. -- Jordi Mallach <[email protected]> Debian Project
diff -Nru nano-8.4/debian/changelog nano-8.4/debian/changelog --- nano-8.4/debian/changelog 2025-04-06 16:11:52.000000000 +0200 +++ nano-8.4/debian/changelog 2026-05-04 01:17:41.000000000 +0200 @@ -1,3 +1,12 @@ +nano (8.4-1+deb13u1) trixie; urgency=medium + + * Add upstream fix for CVE-2026-6842: possible creation of permissive + ~/.local. + * Add upstream patch for CVE-2026-6843: format string vulnerability. + * Update debian-branch to trixie. + + -- Jordi Mallach <[email protected]> Mon, 04 May 2026 01:17:41 +0200 + nano (8.4-1) unstable; urgency=medium * The "Steve Langasek" release. Thanks for your help, for the diff -Nru nano-8.4/debian/gbp.conf nano-8.4/debian/gbp.conf --- nano-8.4/debian/gbp.conf 2024-05-07 00:29:36.000000000 +0200 +++ nano-8.4/debian/gbp.conf 2026-05-04 01:17:27.000000000 +0200 @@ -1,5 +1,5 @@ [DEFAULT] pristine-tar = true -debian-branch = debian/latest +debian-branch = trixie upstream-branch = upstream/latest upstream-vcs-tag = v%(version)s diff -Nru nano-8.4/debian/patches/CVE-2026-6842.patch nano-8.4/debian/patches/CVE-2026-6842.patch --- nano-8.4/debian/patches/CVE-2026-6842.patch 1970-01-01 01:00:00.000000000 +0100 +++ nano-8.4/debian/patches/CVE-2026-6842.patch 2026-05-04 01:15:16.000000000 +0200 @@ -0,0 +1,32 @@ +commit cb43493e00e5777d2433ecf5db6402983b282d6f +Author: Benno Schulenberg <[email protected]> +Date: Mon Apr 6 11:00:21 2026 +0200 + + history: create the ~/.local directory with limited access rights + + Permitting everyone to write to the .local directory gave attackers + (on platforms where umask is 000) a tiny opportunity to become the + owner of the .local/share subdirectory, which would allow them to + install malicious .desktop files. + + This fixes https://bugzilla.redhat.com/2455314. + Reported-by: Michał Majchrowicz <[email protected]> + Patch-by: Michał Majchrowicz <[email protected]> + Signed-off-by: Benno Schulenberg <[email protected]> + + Bug existed since version 2.9.1, commit 4200ed30, + from shortly after support for XDG was added. + +diff --git a/src/history.c b/src/history.c +index ecae821f2..b1f245cdd 100644 +--- a/src/history.c ++++ b/src/history.c +@@ -227,7 +227,7 @@ bool have_statedir(void) + if (stat(statedir, &dirinfo) == -1) { + if (xdgdatadir == NULL) { + char *statepath = concatenate(homedir, "/.local"); +- mkdir(statepath, S_IRWXU | S_IRWXG | S_IRWXO); ++ mkdir(statepath, S_IRWXU); + free(statepath); + statepath = concatenate(homedir, "/.local/share"); + mkdir(statepath, S_IRWXU); diff -Nru nano-8.4/debian/patches/CVE-2026-6843.patch nano-8.4/debian/patches/CVE-2026-6843.patch --- nano-8.4/debian/patches/CVE-2026-6843.patch 1970-01-01 01:00:00.000000000 +0100 +++ nano-8.4/debian/patches/CVE-2026-6843.patch 2026-05-04 01:17:06.000000000 +0200 @@ -0,0 +1,30 @@ +commit 0b7328bce452bf1b0bbff81276425d4809a9b6fd +Author: Benno Schulenberg <[email protected]> +Date: Wed Apr 1 11:44:27 2026 +0200 + + feedback: prevent interpretation of %s and similar in a filename + + When a filename contains things that look like format specifiers + (%s, %p, %n, ...) and opening this file throws some error and this + file is opened together with others, then switching to the relevant + buffer would cause the %x parts to be interpreted as actual format + specifiers, resulting in the leakage of information, or in a crash, + or possibly in arbitrary memory writes. + + Reported-by: Jonathan Echavarria <[email protected]> + Patch-by: Jonathan Echavarria <[email protected]> + Signed-off-by: Benno Schulenberg <[email protected]> + +diff --git a/src/files.c b/src/files.c +index ba4b7273e..7ae1389e5 100644 +--- a/src/files.c ++++ b/src/files.c +@@ -579,7 +579,7 @@ void redecorate_after_switch(void) + /* If the switched-to buffer gave an error during opening, show the message + * once; otherwise, indicate on the status bar which file we switched to. */ + if (openfile->errormessage) { +- statusline(ALERT, openfile->errormessage); ++ statusline(ALERT, "%s", openfile->errormessage); + free(openfile->errormessage); + openfile->errormessage = NULL; + } else diff -Nru nano-8.4/debian/patches/series nano-8.4/debian/patches/series --- nano-8.4/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ nano-8.4/debian/patches/series 2026-05-04 01:17:06.000000000 +0200 @@ -0,0 +1,2 @@ +CVE-2026-6842.patch +CVE-2026-6843.patch
