I-Glibc 2.35 ifika nentuthuko, ukulungiswa kweziphazamisi nokunye

Darkcrizt

Imizuzu ye-4

Ngemva kwezinyanga eziyisithupha zentuthuko ukukhishwa kwenguqulo entsha ye-Glibc 2.35 imenyezelwe lapho kufaka phakathi ukulungiswa okuvela konjiniyela abangama-66 kanye nokuthuthukiswa okusetshenzisiwe singathola ukuthi ukusekelwa kwendawo ye-"C.UTF-8" yengeziwe, okuhlanganisa ukuhlanganisa kwawo wonke amakhodi e-Unicode, kodwa kukhawulelwe ekusebenziseni ububanzi be-ASCII emisebenzini ye-fnmatch, regexec kanye ne-regcomp ukuze ulondoloze. isikhala.

Indawo icishe ibe ngu-400 KB, lapho i-346 KB iyidatha ye-LC_CTYPE ye-Unicode, futhi kufanele ifakwe ngokuhlukana (ayakhelwe ku-Glibc). Idatha yombhalo wekhodi, ulwazi lohlobo lwezinhlamvu, namathebula okuhumusha abuyekeziwe ukuze asekele ukucaciswa kwe-Unicode 14.0.0.

Olunye ushintsho olugqamile yilolo Y sebenzisa imisebenzi namamakhro azungeza umphumela ohlotsheni oluncane, Ngokungeziwe ekusebenziseni imisebenzi namamakhro ukuze uthole ubuncane nobuningi bezinombolo zamaphuzu antantayo ezinhlobo ezintantayo, eziphindwe kabili, _FloatN kanye ne-_FloatNx, ezichazwe ekucacisweni kwe-IEEE 754-2019.

okwemisebenzi exp10, ama-macros ahambisanayo engezwa kufayela lesihloko, ezingaboshelwe ezinhlotsheni ezithile, kanye ne-_PRINTF_NAN_LEN_MAX macro yengezwe , ehlongozwa kokusalungiswa okujwayelekile kwe-ISO C2X.

Isistimu yokuxhumanisa enamandla isebenzisa i-algorithm entsha yokuhlukanisa I-DSO isebenzisa ukusesha okujulile (DFS) ukubhekana nezinkinga zokusebenza lapho uphatha ukuncika kwe-loop. Ukuze ukhethe i-algorithm yokuhlunga ye-DSO, kuhlongozwa ipharamitha ye-glibc.rtld.dynamic_sort, engasethwa ukuze ithi "1" ukuze ibuyele ku-algorithm yangaphambilini.

Ngaphandle kwakho ungeze ukusekelwa komsebenzi omusha '__memcmpeq' ku-ABI, esetshenziswa abahlanganisi ukuthuthukisa ukusetshenziswa kwe-`memcmp' uma inani lokubuyisela lalo msebenzi lisetshenziswa kuphela ukuhlola isimo sokuqedwa komsebenzi.

I- ukusekela ukubhaliswa kwentambo okuzenzakalelayo usebenzisa ucingo lwesistimu lwe-rseq (oluqalwa kabusha) olunikeziwe kusukela ku-Linux kernel 4.18. Ucingo lwesistimu ye-rseq ivumela ukuhlela ukwenziwa okuqhubekayo kweqembu lemiyalelo engaphazanyiswa futhi enze umphumela nesitatimende sokugcina eqenjini. Empeleni, ihlinzeka ngendawo yokusebenza ngokushesha kwe-athomu okuthi, uma iphazanyiswa olunye uchungechunge, ihlanzwe bese izanywa kabusha.

Ngakolunye uhlangothi, ihlinzeka ukuhlanganiswa okuzenzakalelayo kwawo wonke amafayela asebenzisekayo yezinhlelo ezakhelwe ngaphakathi kanye ne-suite yokuhlola kumodi ye-PIE (i-position-independent executable).

Ukuze ukhubaze lokhu kuziphatha, inketho ethi “-disable-default-pie” inikeziwe, kanye ne-Linux, yengeze ukulungiselelwa kwe-glibc.malloc.hugetlb ukushintsha ukusetshenziswa kwe-malloc ukusebenzisa ikholi yesistimu ye-madvise nefulegi le-MADV_HUGEPAGE le-mmap ne-sbrk, noma sebenzisa ngokuqondile amakhasi enkumbulo amakhulu ngokucacisa ifulegi le-MAP_HUGETLB kumakholi we-mmap.

Esimweni sokuqala, ukukhushulwa kokusebenza kungafinyelelwa ngokusebenzisa amakhasi Amakhulu asobala kwimodi ye-madvise, futhi esimweni sesibili, ungasebenzisa amakhasi amakhulu agcinwe yisistimu (Amakhasi Amakhulu).

Kufanele futhi kuqashelwe ukuthi ubungozi obuthile bulungisiwe kule nguqulo entsha:

  • CVE-2022-23218, CVE-2022-23219: Isigcinalwazi sichichima emisebenzini ethi svcunix_create futhi clnt_create ebangelwa ukukopisha okuqukethwe kwepharamitha yegama lefayela kusitaki ngaphandle kokuhlola usayizi wedatha ekopishiwe. Kuzinhlelo zokusebenza ezakhelwe ngaphandle kokuvikelwa kwesitaki futhi zisebenzisa iphrothokholi "unix", ukuba sengozini kungaholela ekusebenziseni ikhodi enonya lapho kucutshungulwa amagama wamafayela amade kakhulu.
  • I-CVE-2021-3998: ukuba sengozini emsebenzini we-realpath() okubangelwa ukubuyisela inani elingalungile ngaphansi kwezimo ezithile eziqukethe idatha yensalela engcolile evela kusitaki. Kuhlelo lwe-SUID-root fusermount, ukuba sengozini kungasetshenziswa ukuthola ulwazi olubucayi kusuka kumemori yenqubo, isibonelo, ukuthola ulwazi lwesikhombi.
  • I-CVE-2021-3999: Ibhayithi yebhayithi yebhayithi eyodwa iyachichima kumsebenzi we-getcwd(). Inkinga ibangelwa isiphazamisi esibe khona kusukela ngo-1995. Ukuze ubize ukuchichima, endaweni ehlukile yendawo yegama, vele ushayele u-chdir() kuhla lwemibhalo "/".

Okokugcina Uma unesifiso sokwazi okwengeziwe ngakho, ungabheka imininingwane kufayela le- isixhumanisi esilandelayo.


Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Ubhekele imininingwane: Miguel Ángel Gatón
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.