1226099 – (CVE-2024-5742) VUL-0: CVE-2024-5742: nano: running `chmod` and `chown` on the filename allows malicious user to replace the emergency file with a malicious symlink to a root-owned file

Bug 1226099 (CVE-2024-5742) - VUL-0: CVE-2024-5742: nano: running `chmod` and `chown` on the filename allows malicious user to replace the emergency file with a malicious symlink to a root-owned file

Summary: VUL-0: CVE-2024-5742: nano: running `chmod` and `chown` on the filename allow...

Status:	IN_PROGRESS

Alias:	CVE-2024-5742

Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Security (show other bugs)
Version:	Leap 15.6
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal (vote)
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/409081/
Whiteboard:	CVSSv3.1:SUSE:CVE-2024-5742:6.3:(AV:L...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-06-07 16:34 UTC by SMASH SMASH
Modified:	2024-06-11 22:04 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2024-06-07 16:34:22 UTC

When nano is killed while it has a modified buffer, it saves this buffer to an emergency .save file and then chmods and chowns this file to the permissions and owner of the original file. This means that when nano is run as root and edits a user-owned file in a directory that is writable by that user, it gives a malicious user a window of opportunity to replace the .save file with a malicious symlink to a root-owned file. To be exploitable, it requires that the malicious user is able to kill the nano run by root. The original reporters of the problem said this:

We think it will mostly have an impact on multi-user systems. Where an admin might open a user's file -- for example to fix a broken config file. This could be in a user directory, requiring the admin to either become the user, or become root. If an admin does the latter, this attack can be performed - as long as the user can kill nano of course. One such example might be when root is logged in over `ssh` to a low-privilege user machine and the user can turn off the wifi on that machine.

https://bugzilla.redhat.com/show_bug.cgi?id=2277586
https://git.savannah.gnu.org/cgit/nano.git/commit/?id=5e7a3c2e7e118c7f12d5dfda9f9140f638976aa2

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-5742
https://bugzilla.redhat.com/show_bug.cgi?id=2278574

Comment 2 OBSbugzilla Bot 2024-06-07 19:05:02 UTC

This is an autogenerated message for OBS integration:
This bug (1226099) was mentioned in
https://build.opensuse.org/request/show/1179346 Backports:SLE-15-SP5+Backports:SLE-15-SP6 / nano

Comment 3 Marcus Meissner 2024-06-11 22:04:51 UTC

openSUSE-SU-2024:0157-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1226099
CVE References: CVE-2024-5742
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP5 (src):    nano-7.2-bp155.2.3.1