nano Format String Vulnerability in statusline() Function Leading to Denial-of-Service

A format string vulnerability has been identified in the nano text editor, specifically within the statusline() function. This vulnerability allows local users to cause a segmentation fault, leading to a denial-of-service condition. The issue arises when a directory name containing printf specifiers is created. Nano attempts to display this name, but the improper handling of the format specifiers causes a crash.

Impact

Exploitation of this vulnerability causes a segmentation fault, leading to a denial-of-service condition where the nano application crashes and becomes unresponsive.

Reproduction

To reproduce this vulnerability, create a directory with a name that includes printf format specifiers, such as '%s'. When nano is used to open a file in this directory, the application will attempt to display the directory name. The statusline() function will process the printf specifiers, leading to a segmentation fault and causing nano to crash. This vulnerability has been verified on nano version 8.7 using AddressSanitizer (ASAN).