mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-06-14 05:49:57 +00:00
nano: Security fix for CVE-2024-5742
Upstream-Status: Backport from [https://git.savannah.gnu.org/cgit/nano.git/commit/?id=5e7a3c2e7e118c7f12d5dfda9f9140f638976aa2] CVE's Fixed: CVE-2024-5742 nano: running `chmod` and `chown` on the filename allows malicious user to replace the emergency file with a malicious symlink to a root-owned file Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
Siddharth Doshi
committed by
Armin Kuster
Armin Kuster
parent
23398704b5
commit
6e72002046
@@ -0,0 +1,100 @@
|
||||
From 5e7a3c2e7e118c7f12d5dfda9f9140f638976aa2 Mon Sep 17 00:00:00 2001
|
||||
From: Benno Schulenberg <bensberg@telfort.nl>
|
||||
Date: Sun, 28 Apr 2024 10:51:52 +0200
|
||||
Subject: files: run `chmod` and `chown` on the descriptor, not on the filename
|
||||
|
||||
This closes a window of opportunity where the emergency file could be
|
||||
replaced by a malicious symlink.
|
||||
|
||||
The issue was reported by `MartinJM` and `InvisibleMeerkat`.
|
||||
|
||||
Problem existed since version 2.2.0, commit 123110c5, when chmodding
|
||||
and chowning of the emergency .save file was added.
|
||||
|
||||
Upstream-Status: Backport from [https://git.savannah.gnu.org/cgit/nano.git/commit/?id=5e7a3c2e7e118c7f12d5dfda9f9140f638976aa2]
|
||||
CVE: CVE-2024-5742
|
||||
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
|
||||
---
|
||||
src/definitions.h | 2 +-
|
||||
src/files.c | 13 ++++++++++++-
|
||||
src/nano.c | 12 +-----------
|
||||
3 files changed, 14 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/src/definitions.h b/src/definitions.h
|
||||
index 2bdc782..e9d0de3 100644
|
||||
--- a/src/definitions.h
|
||||
+++ b/src/definitions.h
|
||||
@@ -277,7 +277,7 @@ typedef enum {
|
||||
} message_type;
|
||||
|
||||
typedef enum {
|
||||
- OVERWRITE, APPEND, PREPEND
|
||||
+ OVERWRITE, APPEND, PREPEND, EMERGENCY
|
||||
} kind_of_writing_type;
|
||||
|
||||
typedef enum {
|
||||
diff --git a/src/files.c b/src/files.c
|
||||
index 62cc8f2..c5527a6 100644
|
||||
--- a/src/files.c
|
||||
+++ b/src/files.c
|
||||
@@ -1760,6 +1760,8 @@ bool write_file(const char *name, FILE *thefile, bool normal,
|
||||
#endif
|
||||
char *realname = real_dir_from_tilde(name);
|
||||
/* The filename after tilde expansion. */
|
||||
+ int fd = 0;
|
||||
+ /* The descriptor that is assigned when opening the file. */
|
||||
char *tempname = NULL;
|
||||
/* The name of the temporary file we use when prepending. */
|
||||
linestruct *line = openfile->filetop;
|
||||
@@ -1843,7 +1845,6 @@ bool write_file(const char *name, FILE *thefile, bool normal,
|
||||
* For an emergency file, access is restricted to just the owner. */
|
||||
if (thefile == NULL) {
|
||||
mode_t permissions = (normal ? RW_FOR_ALL : S_IRUSR|S_IWUSR);
|
||||
- int fd;
|
||||
|
||||
#ifndef NANO_TINY
|
||||
block_sigwinch(TRUE);
|
||||
@@ -1970,6 +1971,16 @@ bool write_file(const char *name, FILE *thefile, bool normal,
|
||||
}
|
||||
#endif
|
||||
|
||||
+#if !defined(NANO_TINY) && defined(HAVE_CHMOD) && defined(HAVE_CHOWN)
|
||||
+ /* Change permissions and owner of an emergency save file to the values
|
||||
+ * of the original file, but ignore any failure as we are in a hurry. */
|
||||
+ if (method == EMERGENCY && fd && openfile->statinfo) {
|
||||
+ IGNORE_CALL_RESULT(fchmod(fd, openfile->statinfo->st_mode));
|
||||
+ IGNORE_CALL_RESULT(fchown(fd, openfile->statinfo->st_uid,
|
||||
+ openfile->statinfo->st_gid));
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
if (fclose(thefile) != 0) {
|
||||
statusline(ALERT, _("Error writing %s: %s"), realname, strerror(errno));
|
||||
|
||||
diff --git a/src/nano.c b/src/nano.c
|
||||
index 04ecdbb..2ce3462 100644
|
||||
--- a/src/nano.c
|
||||
+++ b/src/nano.c
|
||||
@@ -337,18 +337,8 @@ void emergency_save(const char *filename)
|
||||
|
||||
if (*targetname == '\0')
|
||||
fprintf(stderr, _("\nToo many .save files\n"));
|
||||
- else if (write_file(targetname, NULL, SPECIAL, OVERWRITE, NONOTES)) {
|
||||
+ else if (write_file(targetname, NULL, SPECIAL, EMERGENCY, NONOTES))
|
||||
fprintf(stderr, _("\nBuffer written to %s\n"), targetname);
|
||||
-#ifndef NANO_TINY
|
||||
- /* Try to chmod/chown the saved file to the values of the original file,
|
||||
- * but ignore any failure as we are in a hurry to get out. */
|
||||
- if (openfile->statinfo) {
|
||||
- IGNORE_CALL_RESULT(chmod(targetname, openfile->statinfo->st_mode));
|
||||
- IGNORE_CALL_RESULT(chown(targetname, openfile->statinfo->st_uid,
|
||||
- openfile->statinfo->st_gid));
|
||||
- }
|
||||
-#endif
|
||||
- }
|
||||
|
||||
free(targetname);
|
||||
free(plainname);
|
||||
--
|
||||
2.35.7
|
||||
|
||||
@@ -12,7 +12,9 @@ RDEPENDS:${PN} = "ncurses-terminfo-base"
|
||||
|
||||
PV_MAJOR = "${@d.getVar('PV').split('.')[0]}"
|
||||
|
||||
SRC_URI = "https://nano-editor.org/dist/v${PV_MAJOR}/nano-${PV}.tar.xz"
|
||||
SRC_URI = "https://nano-editor.org/dist/v${PV_MAJOR}/nano-${PV}.tar.xz \
|
||||
file://CVE-2024-5742.patch \
|
||||
"
|
||||
SRC_URI[sha256sum] = "2bca1804bead6aaf4ad791f756e4749bb55ed860eec105a97fba864bc6a77cb3"
|
||||
|
||||
UPSTREAM_CHECK_URI = "https://ftp.gnu.org/gnu/nano"
|
||||
|
||||
Reference in New Issue
Block a user