Version in base suite: 8.4-1

Base version: nano_8.4-1
Target version: nano_8.4-1+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/nano/nano_8.4-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/n/nano/nano_8.4-1+deb13u1.dsc

 changelog                   |    9 +++++++++
 gbp.conf                    |    2 +-
 patches/CVE-2026-6842.patch |   32 ++++++++++++++++++++++++++++++++
 patches/CVE-2026-6843.patch |   30 ++++++++++++++++++++++++++++++
 patches/series              |    2 ++
 5 files changed, 74 insertions(+), 1 deletion(-)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp244xp49_/nano_8.4-1.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp244xp49_/nano_8.4-1+deb13u1.dsc: no acceptable signature found
diff -Nru nano-8.4/debian/changelog nano-8.4/debian/changelog
--- nano-8.4/debian/changelog	2025-04-06 14:11:52.000000000 +0000
+++ nano-8.4/debian/changelog	2026-05-03 23:17:41.000000000 +0000
@@ -1,3 +1,12 @@
+nano (8.4-1+deb13u1) trixie; urgency=medium
+
+  * Add upstream fix for CVE-2026-6842: possible creation of permissive
+    ~/.local.
+  * Add upstream patch for CVE-2026-6843: format string vulnerability.
+  * Update debian-branch to trixie.
+
+ -- Jordi Mallach <jordi@debian.org>  Mon, 04 May 2026 01:17:41 +0200
+
 nano (8.4-1) unstable; urgency=medium
 
   * The "Steve Langasek" release. Thanks for your help, for the
diff -Nru nano-8.4/debian/gbp.conf nano-8.4/debian/gbp.conf
--- nano-8.4/debian/gbp.conf	2024-05-06 22:29:36.000000000 +0000
+++ nano-8.4/debian/gbp.conf	2026-05-03 23:17:27.000000000 +0000
@@ -1,5 +1,5 @@
 [DEFAULT] 
 pristine-tar = true 
-debian-branch = debian/latest
+debian-branch = trixie
 upstream-branch = upstream/latest
 upstream-vcs-tag = v%(version)s
diff -Nru nano-8.4/debian/patches/CVE-2026-6842.patch nano-8.4/debian/patches/CVE-2026-6842.patch
--- nano-8.4/debian/patches/CVE-2026-6842.patch	1970-01-01 00:00:00.000000000 +0000
+++ nano-8.4/debian/patches/CVE-2026-6842.patch	2026-05-03 23:15:16.000000000 +0000
@@ -0,0 +1,32 @@
+commit cb43493e00e5777d2433ecf5db6402983b282d6f
+Author: Benno Schulenberg <bensberg@telfort.nl>
+Date:   Mon Apr 6 11:00:21 2026 +0200
+
+    history: create the ~/.local directory with limited access rights
+    
+    Permitting everyone to write to the .local directory gave attackers
+    (on platforms where umask is 000) a tiny opportunity to become the
+    owner of the .local/share subdirectory, which would allow them to
+    install malicious .desktop files.
+    
+    This fixes https://bugzilla.redhat.com/2455314.
+    Reported-by: Michał Majchrowicz <mmajchrowicz@afine.com>
+    Patch-by: Michał Majchrowicz <mmajchrowicz@afine.com>
+    Signed-off-by: Benno Schulenberg <bensberg@telfort.nl>
+    
+    Bug existed since version 2.9.1, commit 4200ed30,
+    from shortly after support for XDG was added.
+
+diff --git a/src/history.c b/src/history.c
+index ecae821f2..b1f245cdd 100644
+--- a/src/history.c
++++ b/src/history.c
+@@ -227,7 +227,7 @@ bool have_statedir(void)
+ 	if (stat(statedir, &dirinfo) == -1) {
+ 		if (xdgdatadir == NULL) {
+ 			char *statepath = concatenate(homedir, "/.local");
+-			mkdir(statepath, S_IRWXU | S_IRWXG | S_IRWXO);
++			mkdir(statepath, S_IRWXU);
+ 			free(statepath);
+ 			statepath = concatenate(homedir, "/.local/share");
+ 			mkdir(statepath, S_IRWXU);
diff -Nru nano-8.4/debian/patches/CVE-2026-6843.patch nano-8.4/debian/patches/CVE-2026-6843.patch
--- nano-8.4/debian/patches/CVE-2026-6843.patch	1970-01-01 00:00:00.000000000 +0000
+++ nano-8.4/debian/patches/CVE-2026-6843.patch	2026-05-03 23:17:06.000000000 +0000
@@ -0,0 +1,30 @@
+commit 0b7328bce452bf1b0bbff81276425d4809a9b6fd
+Author: Benno Schulenberg <bensberg@telfort.nl>
+Date:   Wed Apr 1 11:44:27 2026 +0200
+
+    feedback: prevent interpretation of %s and similar in a filename
+    
+    When a filename contains things that look like format specifiers
+    (%s, %p, %n, ...) and opening this file throws some error and this
+    file is opened together with others, then switching to the relevant
+    buffer would cause the %x parts to be interpreted as actual format
+    specifiers, resulting in the leakage of information, or in a crash,
+    or possibly in arbitrary memory writes.
+    
+    Reported-by: Jonathan Echavarria <jrec93@gmail.com>
+    Patch-by: Jonathan Echavarria <jrec93@gmail.com>
+    Signed-off-by: Benno Schulenberg <bensberg@telfort.nl>
+
+diff --git a/src/files.c b/src/files.c
+index ba4b7273e..7ae1389e5 100644
+--- a/src/files.c
++++ b/src/files.c
+@@ -579,7 +579,7 @@ void redecorate_after_switch(void)
+ 	/* If the switched-to buffer gave an error during opening, show the message
+ 	 * once; otherwise, indicate on the status bar which file we switched to. */
+ 	if (openfile->errormessage) {
+-		statusline(ALERT, openfile->errormessage);
++		statusline(ALERT, "%s", openfile->errormessage);
+ 		free(openfile->errormessage);
+ 		openfile->errormessage = NULL;
+ 	} else
diff -Nru nano-8.4/debian/patches/series nano-8.4/debian/patches/series
--- nano-8.4/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ nano-8.4/debian/patches/series	2026-05-03 23:17:06.000000000 +0000
@@ -0,0 +1,2 @@
+CVE-2026-6842.patch
+CVE-2026-6843.patch