Kutshanje iindaba ziye zaqhekeka ichonge ubungozi (esele ikhathalogu njenge-CVE-2021-3781) kwiGhostscript (iseti yezixhobo zokulungisa, ukuguqula kunye nokuvelisa amaxwebhu kwiPostScript kunye neefomathi zePDF) ivumela ukwenza ikhowudi engalawulekiyo xa kusenziwa ifayile efomathiweyo ngokukodwa.
Ekuqaleni, U-Emil Lerner uchaze ukuba kukho ingxaki kwaye owayekwangulowo wathetha malunga nokuba sesichengeni kwe-25 ka-Agastiokanye kwinkomfa yokugqibela ye-Saint Petersburg ZeroNights X (Kwingxelo ibonise indlela i-Emile ngaphakathi kwenkqubo ye-bug bounty yokusebenzisa ubungozi bokufumana umvuzo wokuhlaselwa kwe-AirBNB, iDropbox kunye neenkonzo zeYandex.
Nazi izilayidi ezivela kwintetho yam kwiZeroNights X! Usuku lwe-0 lwe-GhostScript 9.50, i-RCE yokuxhaphaza ikhonkco le-ImageMagick ngokuseto olungagqibekanga oluvela kwi-Ubuntu repos kunye namabali amaninzi e-bug bounty ngaphakathi https://t.co/7JHotVa5DQ
-Emil Lerner (@emil_lerner) Agasti 25, 2021
Nge-5 kaSeptemba, ukuxhaphaza okusebenzayo kwavela indawo yasesidlangalaleni evumela ukuba kuhlaselwe iinkqubo ze-Ubuntu 20.04 ngokudlulisa iskripthi sewebhu esisebenza kwiseva isebenzisa iphakheji ye-php-imagemagick, uxwebhu olwenziwe ngokukodwa olilayishwe phantsi komfanekiso womfanekiso.
Sinesisombululo kuvavanyo ngoku.
Ukusukela ukuba oluxhaphazo sele lujikeleza ukusukela ngoMatshi kwaye luqulathe uluntu ngokupheleleyo ukusukela ubuncinci ngo-Agasti 25 (kakhulu ukuveza uxanduva!), Ndithambekele ekuthumeleni ukulungiswa esidlangalaleni kwakamsinya nje ukuba sigqibe ukuvavanya kunye nokuphononongwa.
Nangona kwelinye icala, kukhankanyiwe ukuba ngokwedatha yokuqala, Ukuxhaphaza okunje kusetyenziswe ukusukela ngeyoKwindla yaziwa ke loo nto Unokuhlasela iinkqubo ezisebenzisa iGhostScript 9.50, kodwa kutyhilwe ukuba umngcipheko uqhubekile kuzo zonke iinguqulelo zeGhostScript, kubandakanya nohlobo lweGit lophuhliso 9.55.
Ukulungiswa kwacetyiswa kamva ngoSeptemba 8 kwaye emva koqwalaselo loontanga yamkelwa kwindawo yokugcina i-GhostScript ngoSeptemba 9.
Njengoko besenditshilo ngaphambilana, kuba ukuxhaphaza kuye "kwasendle" iinyanga ezi-6 ubuncinci, sele ndingenisile isicatshulwa kwindawo yethu yoluntu; ukugcina isicatshulwa siyimfihlo kule meko kubonakala kungenamsebenzi.
Ndiza kuyenza le bug esidlangalaleni ngaphambi kokuvalwa kweshishini (i-UK) ngolwesiHlanu, kwakhona, ngaphandle kokuba kukho iimpikiswano ezinamandla nezinyanzelisayo ukuba ungenzi njalo (usenakho ukunxibelelana nayo, uyenze ukuba ibe yekawonke wonke ayizukutshintsha i-URL).
Ingxaki kungenxa yokukwazi ukugqitha kwindlela yokuzahlula "-dSAFER" ngenxa yokungonelanga kwesixhobo sePostScript yeparamitha "% pipe%", eyavumela ukuphumeza imiyalelo yeqokobhe elingenakuphikiswa.
Umzekelo, ukuqhuba ukusetyenziswa kwesazisi kuxwebhu, kufuneka ukhankanye umtya kuphela "(% umbhobho% / tmp / & id) (w) ifayile" okanye "(% umbhobho% / tmp /; id) (r) ifayile ».
Njengesikhumbuzo, Ukuba sesichengeni kwiGhostscript kubi kakhulu, kuba le phakheji isetyenziswa kwizicelo ezininzi idume ngokuqhubekeka kwePostScript kunye neefomathi zePDF. Umzekelo, iGhostscript ibizwa xa kusenziwa iithonjana kwidesktop, xa isalathisa idatha ngasemva, naxa uguqula imifanekiso. Kuhlaselo oluyimpumelelo, kwiimeko ezininzi, kwanele ukukhuphela ifayile yokuxhaphaza okanye ukukhangela umkhombandlela kunye nayo kumphathi wefayile oxhasa ukuboniswa kwezithonjana zoxwebhu, umzekelo eNautilus.
Ukuba semngciphekweni kwiGhostscript inokuxhatshazwa ngabalawuli bemifanekiso ngokusekwe kwiiphakheji zeMifanekisoMagick kunye neGraphicsMagick, ukuhambisa ifayile yeJPEG okanye yePNG, equlathe ikhowudi yePostScript endaweni yomfanekiso (le fayile iyakwenziwa kwiGhostscript, kuba uhlobo lweMIME lwamkelwa ngumxholo, kwaye ngaphandle kokuxhomekeka kulwandiso).
Njengokusebenza ukukhusela ekuchaseni ukubekeka esichengeni ngokusebenzisa i-generator ye-thumbnail ngokuzenzekelayo kwi-GNOME kunye ne-ImageMagick, kuyacetyiswa ukuba ukhubaze umnxeba we-evince-thumbnailer kwi /usr/share/thumbnailers/evince.thumbnailer kwaye ukhubaze ukunikezelwa kwePS, EPS, PDF kunye neefomathi ze-XPS kwi-ImageMagick,
Gqibela Kukhankanyiwe ukuba kunikezelo oluninzi ingxaki ayikalungiswa (imeko yokukhutshwa kohlaziyo inokubonwa kumaphepha e Debian, Ubuntu, Fedora, USUSE, RHEL, Arch Linux, FreeBSD, NetBSD).
Kukwakhankanyiwe ukuba ukukhutshwa kwe-GhostScript kunye nokupheliswa komngcipheko kucwangciselwe ukupapashwa ngaphambi kokuphela kwenyanga. Ukuba ufuna ukwazi ngakumbi ngayo, ungajonga iinkcukacha kwi ukulandela ikhonkco.