Bafumanise ukuba semngciphekweni kakhulu kwi-Apache OpenOffice

Kwiintsuku ezithile ezidlulileyo Ubungozi buchaziwe loo nto yachongwa kwiofisi yeApache OpenOffice, le bug idweliswe ngezantsi I-CVE-2021-33035 ivumela ukwenziwa kwekhowudi xa kuvulwa ifayile eyenzelwe ngokukodwa kwifomathi yeDBF.

Ingxaki Kungenxa yokuba iOpenOffice ixhomekeke kumhlabaUbude kunye nexabiso lendawo yohlobo kwintloko yeefayile ze-DBF ukunika imemori ngaphandle kokujonga uhlobo lwedatha ngqo emasimini.

Malunga nokuba sesichengeni

Ukwenza uhlaselo, Ungachaza uhlobo lwe-INTEGER kwi-fieldType value, kodwa ubeke idatha enkulu kwaye ucacise ixabiso lendawoUbude obungahambelani nobungakanani bedatha ye-INTEGER, eya kuthi ikhokelele kwinto yokuba idatha yomgca wentsimi iya kubhalwa ngaphandle kwesikhuseli esabiweyo.

Njengomphumo wokugcwala kwesikhuseli esilawulwayo, umphandi wakwazi ukuphinda achaze isalathiso sokubuyisa somsebenzi kunye nokusebenzisa ubuchwephesha be-Return Oriented Programming (ROP), ukufezekisa ikhowudi yakhe.

Elinye icebo endilifumene kwangoko kuhambo lophando lokuba sesichengeni yayikukujonga kwifomathi yefayile, hayi isiqwenga esithile sesoftware. Zimbini izibonelelo eziphambili zale ndlela. Okokuqala, njengomqali, awunamava okukhawuleza uchonge ii-vectors zokuhlaselwa ezizodwa kwizicelo ezizodwa, ngelixa uhlalutyo lwefomathi yefayile ihlala iyindawo yokungena eqhelekileyo phakathi kwezicelo ezininzi. 

Ukongeza, iifomathi zeefayile eziqhelekileyo zibhalwe kakuhle kusetyenziswa iiNkqubo zeZimvo (ii-RFCs) okanye ikhowudi yemithombo evulekileyo, ukunciphisa inani lomzamo ofunekayo ukubuyisela umva kwifomathi..

Xa usebenzisa ubuchule be-ROP, umhlaseli akazami ukubeka ikhowudi yakhe kwimemori, kodwa endaweni yoko esebenza kumacandelo e- imiyalelo yomatshini esele ifumaneka kumathala eencwadi alayishiwe, ukuphela kwesitetimenti sokubuyisa ulawulo (njengomthetho, ezi kukuphela kwethala leencwadi elisebenzayo).

Umsebenzi wokuxhaphaza uyehla ekwakheni uluhlu lweefowuni kwiibhloko ezifanayo ("izixhobo") ukufumana ukusebenza okufunekayo.

Njengamagajethi ekusebenziseni iOpenOffice, kuyakhankanywa ukuba ikhowudi esuka kwilayibrari ye-libxml2 esetyenziswe kwi-OpenOffice isetyenzisiwe, ngokungafaniyo ne-OpenOffice, eyafunyanwa ukuba ihlanganiswe ngaphandle kwe-DEP (iThintelo loKwenziwa kweDatha) kunye ne-ASLR (Idilesi yendawo) iindlela zokukhusela. Ubeko loLwenziwo).

Abaphuhlisi beOpenOffice bazisiwe malunga nengxaki ngoMeyi 4, emva koko ukubhengezwa esidlangalaleni komngcipheko kwacwangciselwa u-Agasti 30.

Ukusukela ukuba isebe elizinzileyo lingahlaziywa ngalo mhla icwangcisiwe, kwayeUmphenyi ukuhlehlisile ukukhutshwa kweenkcukacha kude kube nge-18 kaSeptemba, kodwa abaphuhlisi be-OpenOffice babengenalo ixesha lokwakha u-4.1.11 ngelo xesha. Kufuneka kuqatshelwe ukuba kwakweso sifundo sinye, ubungozi obufanayo babonakaliswa kwikhowudi yokuxhasa ifomathi ye-DBF kwi-Microsoft Office Access (CVE-2021-38646), iinkcukacha zayo ziya kuthi zichazwe kamva. Akukho ngxaki zifunyenwe kwiLibreOffice.

Amaxwebhu efomathi yefomathi ye-DBase kwakulula ukufumanisa; I-Wikipedia inenkcazo elula yenguqulo yesi-5 yefomathi kwaye i-dBase LLC ikwabonelela ngenkcazo ehlaziyiweyo. ILayibrari yeCongress idwelisa ikhathalogu engakholelekiyo yeefomathi zefayile, kubandakanya i-DBF. Iinguqulelo ezahlukeneyo kunye nezandiso zefomathi ye-DBF zibonelela ngamathuba amaninzi kubaprogram ngokwazisa ubungozi bokuskena.

Ifomathi ye-DBF inamacandelo amabini aphambili: i-header kunye nomzimba. I-header ibandakanya isimaphambili esichaza ugcino lwedatha ye-dBase, isitampu sokugqibela sokuhlaziya kunye nenye imethadatha. Okubaluleke ngakumbi, icacisa ubude berekhodi nganye kwiziko ledatha, ubude besakhiwo sentloko, inani leerekhodi, kunye neenkalo zedatha kwirekhodi.

Umphandi ochonge ingxaki ulumkisile malunga nokwenza ukuxhaphaza okusebenzayo kweqonga leWindows. Ukulungiswa komngcipheko kufumaneka kuphela njengesikethi kwindawo yokugcina iprojekthi, ebibandakanyiwe kuvavanyo lwe-OpenOffice 4.1.11.

Okokugqibela, ukuba unomdla wokwazi okungakumbi ngayo, unokujonga kwinqaku lokuqala ku eli khonkco lilandelayo.


Izimvo ezi-2, shiya ezakho

Shiya uluvo lwakho

Idilesi yakho ye email aziyi kupapashwa. ezidingekayo ziphawulwe *

*

*

  1. Uxanduva lwedatha: UMiguel Ángel Gatón
  2. Injongo yedatha: Ulawulo lwe-SPAM, ulawulo lwezimvo.
  3. Umthetho: Imvume yakho
  4. Unxibelelwano lwedatha: Idatha ayizukuhanjiswa kubantu besithathu ngaphandle koxanduva lomthetho.
  5. Ukugcinwa kweenkcukacha
  6. Amalungelo: Ngalo naliphi na ixesha unganciphisa, uphinde uphinde ucime ulwazi lwakho.

  1.   Diego Vallejo indawo yokubamba sitsho

    Ngaba i-OpenOffice isasetyenziswa ngo-2021?
    Ngaba akuvanga ukuba kukho inkxaso eLibreOffice.org?

  2.   Umphathi we-Paul Cormier u-Red Hat, Inc. sitsho

    Ngaba bakho abantu namhlanje abasebenzisa le zombie ibizwa ngokuba yi-openoffice?