From: Siddharth Doshi <sdo...@mvista.com>

Upstream-Status: Backport from 
[https://git.savannah.gnu.org/cgit/nano.git/commit/?id=5e7a3c2e7e118c7f12d5dfda9f9140f638976aa2]

CVE's Fixed:
CVE-2024-5742 nano: running `chmod` and `chown` on the filename allows 
malicious user to replace the emergency file with a malicious symlink to a 
root-owned file

Signed-off-by: Siddharth Doshi <sdo...@mvista.com>
---
 .../nano/files/CVE-2024-5742.patch            | 101 ++++++++++++++++++
 meta-oe/recipes-support/nano/nano_7.2.bb      |   4 +-
 2 files changed, 104 insertions(+), 1 deletion(-)
 create mode 100644 meta-oe/recipes-support/nano/files/CVE-2024-5742.patch

diff --git a/meta-oe/recipes-support/nano/files/CVE-2024-5742.patch 
b/meta-oe/recipes-support/nano/files/CVE-2024-5742.patch
new file mode 100644
index 000000000..f29b73c53
--- /dev/null
+++ b/meta-oe/recipes-support/nano/files/CVE-2024-5742.patch
@@ -0,0 +1,101 @@
+From aad1439553de8ce0ef8815a65ac0732dc804507b Mon Sep 17 00:00:00 2001
+From: Benno Schulenberg <bensb...@telfort.nl>
+Date: Sun, 28 Apr 2024 10:51:52 +0200
+Subject: [PATCH] files: run `chmod` and `chown` on the descriptor, not on the
+ filename
+
+This closes a window of opportunity where the emergency file could be
+replaced by a malicious symlink.
+
+The issue was reported by `MartinJM` and `InvisibleMeerkat`.
+
+Problem existed since version 2.2.0, commit 123110c5, when chmodding
+and chowning of the emergency .save file was added.
+
+Upstream-Status: Backport from 
[https://git.savannah.gnu.org/cgit/nano.git/commit/?id=5e7a3c2e7e118c7f12d5dfda9f9140f638976aa2]
+CVE: CVE-2024-5742
+Signed-off-by: Siddharth Doshi <sdo...@mvista.com>
+---
+ src/definitions.h |  2 +-
+ src/files.c       | 13 ++++++++++++-
+ src/nano.c        | 12 +-----------
+ 3 files changed, 14 insertions(+), 13 deletions(-)
+
+diff --git a/src/definitions.h b/src/definitions.h
+index 288f1ff..04614a3 100644
+--- a/src/definitions.h
++++ b/src/definitions.h
+@@ -283,7 +283,7 @@ typedef enum {
+ } message_type;
+ 
+ typedef enum {
+-      OVERWRITE, APPEND, PREPEND
++      OVERWRITE, APPEND, PREPEND, EMERGENCY
+ } kind_of_writing_type;
+ 
+ typedef enum {
+diff --git a/src/files.c b/src/files.c
+index c6eadc1..88397d3 100644
+--- a/src/files.c
++++ b/src/files.c
+@@ -1760,6 +1760,8 @@ bool write_file(const char *name, FILE *thefile, bool 
normal,
+ #endif
+       char *realname = real_dir_from_tilde(name);
+               /* The filename after tilde expansion. */
++      int fd = 0;
++              /* The descriptor that is assigned when opening the file. */
+       char *tempname = NULL;
+               /* The name of the temporary file we use when prepending. */
+       linestruct *line = openfile->filetop;
+@@ -1843,7 +1845,6 @@ bool write_file(const char *name, FILE *thefile, bool 
normal,
+        * For an emergency file, access is restricted to just the owner. */
+       if (thefile == NULL) {
+               mode_t permissions = (normal ? RW_FOR_ALL : S_IRUSR|S_IWUSR);
+-              int fd;
+ 
+ #ifndef NANO_TINY
+               block_sigwinch(TRUE);
+@@ -1969,6 +1970,16 @@ bool write_file(const char *name, FILE *thefile, bool 
normal,
+               }
+ #endif
+ 
++#if !defined(NANO_TINY) && defined(HAVE_CHMOD) && defined(HAVE_CHOWN)
++      /* Change permissions and owner of an emergency save file to the values
++       * of the original file, but ignore any failure as we are in a hurry. */
++      if (method == EMERGENCY && fd && openfile->statinfo) {
++              IGNORE_CALL_RESULT(fchmod(fd, openfile->statinfo->st_mode));
++              IGNORE_CALL_RESULT(fchown(fd, openfile->statinfo->st_uid,
++                                                                              
        openfile->statinfo->st_gid));
++      }
++#endif
++
+       if (fclose(thefile) != 0) {
+               statusline(ALERT, _("Error writing %s: %s"), realname, 
strerror(errno));
+ 
+diff --git a/src/nano.c b/src/nano.c
+index c6db6dd..c8e5265 100644
+--- a/src/nano.c
++++ b/src/nano.c
+@@ -337,18 +337,8 @@ void emergency_save(const char *filename)
+ 
+       if (*targetname == '\0')
+               fprintf(stderr, _("\nToo many .save files\n"));
+-      else if (write_file(targetname, NULL, SPECIAL, OVERWRITE, NONOTES)) {
++      else if (write_file(targetname, NULL, SPECIAL, EMERGENCY, NONOTES))
+               fprintf(stderr, _("\nBuffer written to %s\n"), targetname);
+-#if !defined(NANO_TINY) && defined(HAVE_CHMOD) && defined(HAVE_CHOWN)
+-              /* Try to chmod/chown the saved file to the values of the 
original file,
+-               * but ignore any failure as we are in a hurry to get out. */
+-              if (openfile->statinfo) {
+-                      IGNORE_CALL_RESULT(chmod(targetname, 
openfile->statinfo->st_mode));
+-                      IGNORE_CALL_RESULT(chown(targetname, 
openfile->statinfo->st_uid,
+-                                                                              
                        openfile->statinfo->st_gid));
+-              }
+-#endif
+-      }
+ 
+       free(targetname);
+       free(plainname);
+-- 
+2.44.0
+
diff --git a/meta-oe/recipes-support/nano/nano_7.2.bb 
b/meta-oe/recipes-support/nano/nano_7.2.bb
index 0642287c9..73d46949d 100644
--- a/meta-oe/recipes-support/nano/nano_7.2.bb
+++ b/meta-oe/recipes-support/nano/nano_7.2.bb
@@ -12,7 +12,9 @@ RDEPENDS:${PN} = "ncurses-terminfo-base"
 
 PV_MAJOR = "${@d.getVar('PV').split('.')[0]}"
 
-SRC_URI = "https://nano-editor.org/dist/v${PV_MAJOR}/nano-${PV}.tar.xz";
+SRC_URI = "https://nano-editor.org/dist/v${PV_MAJOR}/nano-${PV}.tar.xz \
+           file://CVE-2024-5742.patch \
+          "
 SRC_URI[sha256sum] = 
"86f3442768bd2873cec693f83cdf80b4b444ad3cc14760b74361474fc87a4526"
 
 UPSTREAM_CHECK_URI = "https://ftp.gnu.org/gnu/nano";
-- 
2.34.1

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#110894): 
https://lists.openembedded.org/g/openembedded-devel/message/110894
Mute This Topic: https://lists.openembedded.org/mt/106652961/21656
Group Owner: openembedded-devel+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to