https://bugzilla.suse.com/show_bug.cgi?id=1226099 Bug ID: 1226099 Summary: VUL-0: CVE-2024-5742: nano: running `chmod` and `chown` on the filename allows malicious user to replace the emergency file with a malicious symlink to a root-owned file Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/409081/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: crrodriguez@opensuse.org Reporter: smash_bz@suse.de QA Contact: security-team@suse.de CC: camila.matos@suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- When nano is killed while it has a modified buffer, it saves this buffer to an emergency .save file and then chmods and chowns this file to the permissions and owner of the original file. This means that when nano is run as root and edits a user-owned file in a directory that is writable by that user, it gives a malicious user a window of opportunity to replace the .save file with a malicious symlink to a root-owned file. To be exploitable, it requires that the malicious user is able to kill the nano run by root. The original reporters of the problem said this: We think it will mostly have an impact on multi-user systems. Where an admin might open a user's file -- for example to fix a broken config file. This could be in a user directory, requiring the admin to either become the user, or become root. If an admin does the latter, this attack can be performed - as long as the user can kill nano of course. One such example might be when root is logged in over `ssh` to a low-privilege user machine and the user can turn off the wifi on that machine. https://bugzilla.redhat.com/show_bug.cgi?id=2277586 https://git.savannah.gnu.org/cgit/nano.git/commit/?id=5e7a3c2e7e118c7f12d5df... References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-5742 https://bugzilla.redhat.com/show_bug.cgi?id=2278574 -- You are receiving this mail because: You are on the CC list for the bug.