You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Wait, do update to latest nano, they still have a way to exploit the c code because the devs probably don't understand that C is not python, not Haskell, not Agda, not Coq, not F#, not Java, not LISP, not Forth. Expect more security vulns if you coninue using any version of nano, now or in the future.
Open nano repo, see
src/text.c
and line
src/nano.c
Comment out all calls to statusline and stuff. It's trivial.
For my reasoning context see #26 (reply in thread)
I posted in a new discussion so anyone can help out.
I'll try testing removing statusline calls first. Someone else can collate the fixes for the linter specific code paths.
I would paste the trivial changes but for some reason the code has no comments. So I'll follow the RDX strategy of patching.
I'd suggest cloning from the official nano repo and removing the header files, nano.c, text.c entirely. Or just empty them if you want to start a fix from scratch, avoiding technical debt. You can then just increment the version number to v10.0.0-alpha. That's just simpler than what I did here.
CURRENT STATUS - The fork changes have not been tested.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Wait, do update to latest nano, they still have a way to exploit the c code because the devs probably don't understand that C is not python, not Haskell, not Agda, not Coq, not F#, not Java, not LISP, not Forth. Expect more security vulns if you coninue using any version of nano, now or in the future.
Open nano repo, see
and line
Comment out all calls to statusline and stuff. It's trivial.
For my reasoning context see #26 (reply in thread)
I posted in a new discussion so anyone can help out.
I'll try testing removing statusline calls first. Someone else can collate the fixes for the linter specific code paths.
I would paste the trivial changes but for some reason the code has no comments. So I'll follow the RDX strategy of patching.
Examples -
[x] - https://github.com/ket395/nano-safe/blob/d0c0c0b3fe9b1a93daffc2fd644040f99152e7b4/src/definitions.h
[x] - https://github.com/ket395/nano-safe/blob/e368a91ea75d9b8f41300c5b0d42d0244cd8e567/src/prototypes.h next edits are because I'm a paranoid hacker.
[x] - https://github.com/ket395/nano-safe/blob/97bdf626e6a6a1c6b12bcc62482ecc8fccb19bbc/src/nano.c
[x] - https://github.com/ket395/nano-safe/blob/master/src/text.c I'm literally gagging at this src folder. So goodbye!
If you want to view the unsafe code for exploration or verification purposes, do it safely from this commit - https://github.com/ket395/nano-safe/commit/f39d149e82083b4393740d230abac59fff384561
This is the final logical changeset commit for browsing the unified edit - https://github.com/ket395/nano-safe/commit/9b0368a3adb330b3814bf5439f1569300d2f0d46 compare it to https://github.com/ket395/nano-safe/commit/f39d149e82083b4393740d230abac59fff384561
I'd suggest cloning from the official nano repo and removing the header files, nano.c, text.c entirely. Or just empty them if you want to start a fix from scratch, avoiding technical debt. You can then just increment the version number to v10.0.0-alpha. That's just simpler than what I did here.
CURRENT STATUS - The fork changes have not been tested.
Beta Was this translation helpful? Give feedback.
All reactions