nano: Security fix for CVE-2024-5742

Upstream-Status: Backport from [https://git.savannah.gnu.org/cgit/nano.git/commit/?id=5e7a3c2e7e118c7f12d5dfda9f9140f638976aa2] CVE's Fixed: CVE-2024-5742 nano: running `chmod` and `chown` on the filename allows malicious user to replace the emergency file with a malicious symlink to a root-owned file Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Siddharth Doshi <sdoshi@mvista.com> 2024-06-13 20:17:01 +0530
committer: Armin Kuster <akuster808@gmail.com> 2024-06-17 09:08:35 -0400
commit: 366bac39bd996c34230daa0eaf1ac19fc3aa79b6 (patch)
tree: c55745746f115fe13542ff3179c114910be4f9e2
parent: d35e1e52bfddf8435c99fdfa552e4af133193ce3 (diff)
download: meta-openembedded-366bac39bd996c34230daa0eaf1ac19fc3aa79b6.tar.gz
2 files changed, 104 insertions, 1 deletions
diff --git a/meta-oe/recipes-support/nano/files/CVE-2024-5742.patch b/meta-oe/recipes-support/nano/files/CVE-2024-5742.patch
new file mode 100644
index 0000000000..f29b73c539
--- /dev/null
+++ b/meta-oe/recipes-support/nano/files/CVE-2024-5742.patch
@@ -0,0 +1,101 @@
+From aad1439553de8ce0ef8815a65ac0732dc804507b Mon Sep 17 00:00:00 2001
+From: Benno Schulenberg <bensberg@telfort.nl>
+Date: Sun, 28 Apr 2024 10:51:52 +0200
+Subject: [PATCH] files: run `chmod` and `chown` on the descriptor, not on the
+ filename
+This closes a window of opportunity where the emergency file could be
+replaced by a malicious symlink.
+The issue was reported by `MartinJM` and `InvisibleMeerkat`.
+Problem existed since version 2.2.0, commit 123110c5, when chmodding
+and chowning of the emergency .save file was added.
+Upstream-Status: Backport from [https://git.savannah.gnu.org/cgit/nano.git/commit/?id=5e7a3c2e7e118c7f12d5dfda9f9140f638976aa2]
+CVE: CVE-2024-5742
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
+---
+ src/definitions.h |  2 +-
+ src/files.c       | 13 ++++++++++++-
+ src/nano.c        | 12 +-----------
+ 3 files changed, 14 insertions(+), 13 deletions(-)
+diff --git a/src/definitions.h b/src/definitions.h
+index 288f1ff..04614a3 100644
+--- a/src/definitions.h
+++ b/src/definitions.h
+@@ -283,7 +283,7 @@ typedef enum {
+ } message_type;
+ 
+ typedef enum {
+-       OVERWRITE, APPEND, PREPEND
+       OVERWRITE, APPEND, PREPEND, EMERGENCY
+ } kind_of_writing_type;
+ 
+ typedef enum {
+diff --git a/src/files.c b/src/files.c
+index c6eadc1..88397d3 100644
+--- a/src/files.c
+++ b/src/files.c
+@@ -1760,6 +1760,8 @@ bool write_file(const char *name, FILE *thefile, bool normal,
+ #endif
+        char *realname = real_dir_from_tilde(name);
+                /* The filename after tilde expansion. */
+       int fd = 0;
+               /* The descriptor that is assigned when opening the file. */
+        char *tempname = NULL;
+                /* The name of the temporary file we use when prepending. */
+        linestruct *line = openfile->filetop;
+@@ -1843,7 +1845,6 @@ bool write_file(const char *name, FILE *thefile, bool normal,
+         * For an emergency file, access is restricted to just the owner. */
+        if (thefile == NULL) {
+                mode_t permissions = (normal ? RW_FOR_ALL : S_IRUSR|S_IWUSR);
+-               int fd;
+ 
+ #ifndef NANO_TINY
+                block_sigwinch(TRUE);
+@@ -1969,6 +1970,16 @@ bool write_file(const char *name, FILE *thefile, bool normal,
+                }
+ #endif
+ 
+#if !defined(NANO_TINY) && defined(HAVE_CHMOD) && defined(HAVE_CHOWN)
+       /* Change permissions and owner of an emergency save file to the values
+        * of the original file, but ignore any failure as we are in a hurry. */
+       if (method == EMERGENCY && fd && openfile->statinfo) {
+               IGNORE_CALL_RESULT(fchmod(fd, openfile->statinfo->st_mode));
+               IGNORE_CALL_RESULT(fchown(fd, openfile->statinfo->st_uid,
+                                                                                       openfile->statinfo->st_gid));
+       }
+#endif
+
+        if (fclose(thefile) != 0) {
+                statusline(ALERT, _("Error writing %s: %s"), realname, strerror(errno));
+ 
+diff --git a/src/nano.c b/src/nano.c
+index c6db6dd..c8e5265 100644
+--- a/src/nano.c
+++ b/src/nano.c
+@@ -337,18 +337,8 @@ void emergency_save(const char *filename)
+ 
+        if (*targetname == '\0')
+                fprintf(stderr, _("\nToo many .save files\n"));
+-       else if (write_file(targetname, NULL, SPECIAL, OVERWRITE, NONOTES)) {
+       else if (write_file(targetname, NULL, SPECIAL, EMERGENCY, NONOTES))
+                fprintf(stderr, _("\nBuffer written to %s\n"), targetname);
+-#if !defined(NANO_TINY) && defined(HAVE_CHMOD) && defined(HAVE_CHOWN)
+-               /* Try to chmod/chown the saved file to the values of the original file,
+-                * but ignore any failure as we are in a hurry to get out. */
+-               if (openfile->statinfo) {
+-                       IGNORE_CALL_RESULT(chmod(targetname, openfile->statinfo->st_mode));
+-                       IGNORE_CALL_RESULT(chown(targetname, openfile->statinfo->st_uid,
+-                                                                                                       openfile->statinfo->st_gid));
+-               }
+-#endif
+-       }
+ 
+        free(targetname);
+        free(plainname);
+-- 
+2.44.0
diff --git a/meta-oe/recipes-support/nano/nano_7.2.bb b/meta-oe/recipes-support/nano/nano_7.2.bb
index 0642287c98..73d46949d9 100644
--- a/meta-oe/recipes-support/nano/nano_7.2.bb
+++ b/meta-oe/recipes-support/nano/nano_7.2.bb
@@ -12,7 +12,9 @@ RDEPENDS:${PN} = "ncurses-terminfo-base"
 PV_MAJOR = "${@d.getVar('PV').split('.')[0]}"
-SRC_URI = "https://nano-editor.org/dist/v${PV_MAJOR}/nano-${PV}.tar.xz"
+SRC_URI = "https://nano-editor.org/dist/v${PV_MAJOR}/nano-${PV}.tar.xz \
+           file://CVE-2024-5742.patch \
+          "
 SRC_URI[sha256sum] = "86f3442768bd2873cec693f83cdf80b4b444ad3cc14760b74361474fc87a4526"
 UPSTREAM_CHECK_URI = "https://ftp.gnu.org/gnu/nano"
author	Siddharth Doshi <sdoshi@mvista.com>	2024-06-13 20:17:01 +0530
committer	Armin Kuster <akuster808@gmail.com>	2024-06-17 09:08:35 -0400
commit	366bac39bd996c34230daa0eaf1ac19fc3aa79b6 (patch)
tree	c55745746f115fe13542ff3179c114910be4f9e2
parent	d35e1e52bfddf8435c99fdfa552e4af133193ce3 (diff)
download	meta-openembedded-366bac39bd996c34230daa0eaf1ac19fc3aa79b6.tar.gz

diff --git a/meta-oe/recipes-support/nano/files/CVE-2024-5742.patch b/meta-oe/recipes-support/nano/files/CVE-2024-5742.patch new file mode 100644 index 0000000000..f29b73c539 --- /dev/null +++ b/meta-oe/recipes-support/nano/files/CVE-2024-5742.patch
@@ -0,0 +1,101 @@
		1	From aad1439553de8ce0ef8815a65ac0732dc804507b Mon Sep 17 00:00:00 2001
		2	From: Benno Schulenberg <bensberg@telfort.nl>
		3	Date: Sun, 28 Apr 2024 10:51:52 +0200
		4	Subject: [PATCH] files: run `chmod` and `chown` on the descriptor, not on the
		5	filename
		6
		7	This closes a window of opportunity where the emergency file could be
		8	replaced by a malicious symlink.
		9
		10	The issue was reported by `MartinJM` and `InvisibleMeerkat`.
		11
		12	Problem existed since version 2.2.0, commit 123110c5, when chmodding
		13	and chowning of the emergency .save file was added.
		14
		15	Upstream-Status: Backport from [https://git.savannah.gnu.org/cgit/nano.git/commit/?id=5e7a3c2e7e118c7f12d5dfda9f9140f638976aa2]
		16	CVE: CVE-2024-5742
		17	Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
		18	---
		19	src/definitions.h \| 2 +-
		20	src/files.c \| 13 ++++++++++++-
		21	src/nano.c \| 12 +-----------
		22	3 files changed, 14 insertions(+), 13 deletions(-)
		23
		24	diff --git a/src/definitions.h b/src/definitions.h
		25	index 288f1ff..04614a3 100644
		26	--- a/src/definitions.h
		27	+++ b/src/definitions.h
		28	@@ -283,7 +283,7 @@ typedef enum {
		29	} message_type;
		30
		31	typedef enum {
		32	- OVERWRITE, APPEND, PREPEND
		33	+ OVERWRITE, APPEND, PREPEND, EMERGENCY
		34	} kind_of_writing_type;
		35
		36	typedef enum {
		37	diff --git a/src/files.c b/src/files.c
		38	index c6eadc1..88397d3 100644
		39	--- a/src/files.c
		40	+++ b/src/files.c
		41	@@ -1760,6 +1760,8 @@ bool write_file(const char name, FILE thefile, bool normal,
		42	#endif
		43	char *realname = real_dir_from_tilde(name);
		44	/* The filename after tilde expansion. */
		45	+ int fd = 0;
		46	+ /* The descriptor that is assigned when opening the file. */
		47	char *tempname = NULL;
		48	/* The name of the temporary file we use when prepending. */
		49	linestruct *line = openfile->filetop;
		50	@@ -1843,7 +1845,6 @@ bool write_file(const char name, FILE thefile, bool normal,
		51	* For an emergency file, access is restricted to just the owner. */
		52	if (thefile == NULL) {
		53	mode_t permissions = (normal ? RW_FOR_ALL : S_IRUSR\|S_IWUSR);
		54	- int fd;
		55
		56	#ifndef NANO_TINY
		57	block_sigwinch(TRUE);
		58	@@ -1969,6 +1970,16 @@ bool write_file(const char name, FILE thefile, bool normal,
		59	}
		60	#endif
		61
		62	+#if !defined(NANO_TINY) && defined(HAVE_CHMOD) && defined(HAVE_CHOWN)
		63	+ /* Change permissions and owner of an emergency save file to the values
		64	+ * of the original file, but ignore any failure as we are in a hurry. */
		65	+ if (method == EMERGENCY && fd && openfile->statinfo) {
		66	+ IGNORE_CALL_RESULT(fchmod(fd, openfile->statinfo->st_mode));
		67	+ IGNORE_CALL_RESULT(fchown(fd, openfile->statinfo->st_uid,
		68	+ openfile->statinfo->st_gid));
		69	+ }
		70	+#endif
		71	+
		72	if (fclose(thefile) != 0) {
		73	statusline(ALERT, _("Error writing %s: %s"), realname, strerror(errno));
		74
		75	diff --git a/src/nano.c b/src/nano.c
		76	index c6db6dd..c8e5265 100644
		77	--- a/src/nano.c
		78	+++ b/src/nano.c
		79	@@ -337,18 +337,8 @@ void emergency_save(const char *filename)
		80
		81	if (*targetname == '\0')
		82	fprintf(stderr, _("\nToo many .save files\n"));
		83	- else if (write_file(targetname, NULL, SPECIAL, OVERWRITE, NONOTES)) {
		84	+ else if (write_file(targetname, NULL, SPECIAL, EMERGENCY, NONOTES))
		85	fprintf(stderr, _("\nBuffer written to %s\n"), targetname);
		86	-#if !defined(NANO_TINY) && defined(HAVE_CHMOD) && defined(HAVE_CHOWN)
		87	- /* Try to chmod/chown the saved file to the values of the original file,
		88	- * but ignore any failure as we are in a hurry to get out. */
		89	- if (openfile->statinfo) {
		90	- IGNORE_CALL_RESULT(chmod(targetname, openfile->statinfo->st_mode));
		91	- IGNORE_CALL_RESULT(chown(targetname, openfile->statinfo->st_uid,
		92	- openfile->statinfo->st_gid));
		93	- }
		94	-#endif
		95	- }
		96
		97	free(targetname);
		98	free(plainname);
		99	--
		100	2.44.0
		101


diff --git a/meta-oe/recipes-support/nano/nano_7.2.bb b/meta-oe/recipes-support/nano/nano_7.2.bb index 0642287c98..73d46949d9 100644 --- a/meta-oe/recipes-support/nano/nano_7.2.bb +++ b/meta-oe/recipes-support/nano/nano_7.2.bb
@@ -12,7 +12,9 @@ RDEPENDS:${PN} = "ncurses-terminfo-base"
12		12
13	PV_MAJOR = "${@d.getVar('PV').split('.')[0]}"	13	PV_MAJOR = "${@d.getVar('PV').split('.')[0]}"
14		14
15	SRC_URI = "https://nano-editor.org/dist/v${PV_MAJOR}/nano-${PV}.tar.xz"	15	SRC_URI = "https://nano-editor.org/dist/v${PV_MAJOR}/nano-${PV}.tar.xz \
		16	file://CVE-2024-5742.patch \
		17	"
16	SRC_URI[sha256sum] = "86f3442768bd2873cec693f83cdf80b4b444ad3cc14760b74361474fc87a4526"	18	SRC_URI[sha256sum] = "86f3442768bd2873cec693f83cdf80b4b444ad3cc14760b74361474fc87a4526"
17		19
18	UPSTREAM_CHECK_URI = "https://ftp.gnu.org/gnu/nano"	20	UPSTREAM_CHECK_URI = "https://ftp.gnu.org/gnu/nano"