nano Incorrect Directory Permissions Vulnerability Allowing Injection of Malicious .desktop Launchers

A vulnerability exists in the text editor nano, specifically in how it handles directory permissions for the ~/.local directory. In environments with a permissive umask, nano creates this directory with insecure permissions of 0777, allowing local attackers to inject malicious .desktop launcher files. If these launchers are processed, they could trigger unintended actions or lead to information disclosure. This issue affects Red Hat Enterprise Linux 8 and 9.

Impact

Exploitation of this vulnerability could allow a local attacker to inject a malicious .desktop launcher into the user's ~/.local directory. If the injected launcher is executed, it could perform unintended actions or disclose sensitive information.

Reproduction

The vulnerability can be reproduced by creating a permissive umask environment, such as in certain container or continuous integration settings. Once the umask is set to allow world-writable permissions, nano can be used to create the ~/.local directory. Due to the incorrect permission handling, a local attacker could then race to inject a malicious .desktop launcher before the directory permissions are corrected.

Remediation

Users can manually set the umask to a secure value, such as 0022 or 0077, to prevent the creation of world-writable directories. This secure umask can be applied system-wide or for individual users.