Bathole ubungozi obubili ku-GRUB2

David Y. Naranjo

Imizuzu ye-4

ubungozi

Uma exhashazwa, lawa maphutha angavumela abahlaseli ukuthi bathole ukufinyelela okungagunyaziwe kulwazi olubucayi noma ngokuvamile babangele izinkinga.

Imininingwane yobungozi obubili kusilayishi sebhuthi ye-GRUB2 idaluliwe ukuthi pkungaholela ekwenzeni ikhodi lapho usebenzisa amafonti aklanywe ngokukhethekile futhi uphatha ukulandelana okuthile kwe-Unicode.

Kuyashiwo ukuthi ubuthakathaka obutholakele bukhonai-e ingasetshenziswa ukudlula indlela yokuqalisa eqinisekisiwe ye-UEFI Secure Boot. Ubungozi ku-GRUB2 buvumela ikhodi ukuthi isetshenziswe esigabeni ngemva kokuqinisekiswa okuyimpumelelo kwe-shim, kodwa ngaphambi kokuthi isistimu yokusebenza ilayishwe, ukwephula uchungechunge lokwethembana ngemodi Yokuvula Okuvikelekile iyasebenza futhi kuthola ukulawula okugcwele phezu kwenqubo yangemuva kokuqaliswa, isb. ukuqala enye isistimu yokusebenza, ukuguqula izingxenye zesistimu yokusebenza, kanye nokuvikela ukukhiya kokudlula.

Ngokuphathelene nobuthakathaka obuhlonziwe, okulandelayo kuyashiwo:

  • I-CVE-2022-2601: ukuchichima kwebhafa kumsebenzi we-grub_font_construct_glyph() lapho kucutshungulwa amafonti aklanywe ngokukhethekile ngefomethi ye-pf2, okwenzeka ngenxa yokubala okungalungile kwepharamitha engu-max_glyph_size kanye nokwabiwa kwendawo yenkumbulo ngokusobala encane kunesidingo ukuze kubekwe ama-glyphs.
  • I-CVE-2022-3775: Ukubhala ngaphandle kwemingcele lapho unikeza amanye amayunithi ezinhlamvu e-Unicode ngefonti yangokwezifiso. Inkinga ikhona kukhodi yokuphatha ifonti futhi ibangelwa ukuntuleka kokulawula okufanele ukuze kuqinisekiswe ukuthi ububanzi be-glyph nobude buhambisana nosayizi we-bitmap otholakalayo. Umhlaseli angakwazi ukuvuna okokufaka ngendlela yokuthi enze umugqa wedatha ubhalwe ngaphandle kwebhafa enikeziwe. Kuyaphawulwa ukuthi naphezu kobunzima bokuxhaphaza ubungozi, ukuveza inkinga ekusebenzeni kwekhodi akukhishiwe.

Ukunciphisa ngokugcwele kuwo wonke ama-CVE kuzodinga ukulungiswa okubuyekezwe nge-SBAT yakamuva (Secure Boot Advanced Targeting) kanye nedatha enikezwe ukusatshalaliswa nabathengisi.
Kulokhu uhlu lokuchithwa kwe-UEFI (dbx) ngeke lusetshenziswe futhi ukuhoxiswa kwalabo abaphukile.
ama-artifact azokwenziwa kuphela nge-SBAT. Ukuze uthole ulwazi mayelana nendlela yokufaka isicelo
Ukuhoxiswa kwakamuva kwe-SBAT, bona i-mokutil(1). Ukulungiswa komthengisi kungacacisa vumela ukuqalwa kabusha kwezinto zakudala ezaziwayo ze-boot.

I-GRUB2, i-shim, namanye ama-artifact e-boot avela kubo bonke abathengisi abathintekile azobuyekezwa. izotholakala uma i-embargo isusiwe noma isikhathi esithile ngemva kwalokho.

Kukhulunywa kanjalo Ukusabalalisa okuningi kwe-linux kusebenzisa isendlalelo esincane se-patch, esayinwe ngokwedijithali yi-Microsoft, ukuze kuqaliswe ukuqalisa okuqinisekisiwe kumodi ye-UEFI Secure Boot. Lesi sendlalelo siqinisekisa i-GRUB2 ngesitifiketi sayo, okuvumela abathuthukisi bokusabalalisa ukuthi bangaqinisekisi yonke i-kernel kanye nesibuyekezo se-GRUB nge-Microsoft.

Ukuvimbela ukuba sengozini ngaphandle kokuhoxisa isiginesha yedijithali, ukusatshalaliswa ungasebenzisa indlela ye-SBAT (I-UEFI Secure Boot Advanced Targeting), esekelwa yi-GRUB2, shim, kanye fwupd ekusatshalalisweni kweLinux okuthandwa kakhulu.

I-SBAT yathuthukiswa ngokubambisana ne-Microsoft futhi ihlanganisa ukwengeza imethadatha engxenyeni ye-UEFI yamafayela asebenzisekayo, okuhlanganisa nomkhiqizi, umkhiqizo, ingxenye, nolwazi lwenguqulo. Imethadatha eshiwo isayinwe ngedijithali futhi ingafakwa ohlwini oluhlukene lwezingxenye ezivunyelwe noma ezivinjelwe ze-UEFI Secure Boot.

I-SBAT ivumela ukuvimba ukusetshenziswa kwesiginesha yedijithali ngezinombolo zenguqulo yengxenye ngayinye ngaphandle kwesidingo sokuhoxisa okhiye be-Secure Boot. Ukuvimbela ubungozi nge-SBAT akudingi ukusetshenziswa kwe-UEFI CRL (dbx), kodwa kunalokho kwenziwa kuleveli yokhiye wangaphakathi ukuze kukhiqizwe amasiginesha nokubuyekeza i-GRUB2, i-shim, namanye ama-artifact e-boot ahlinzekwa ngokusatshalaliswa.

Ngaphambi kokwethulwa kwe-SBAT, ukubuyekeza uhlu lokuhoxiswa kwesitifiketi (dbx, Uhlu Lokuhoxiswa kwe-UEFI) kwakuyimfuneko ukuze uvimbele ubungozi ngokuphelele, njengoba umhlaseli, kungakhathaliseki uhlelo lokusebenza olusetshenziswayo, angasebenzisa imidiya evulelekayo. ngenguqulo endala esengozini ye- I-GRUB2 igunyazwe yisiginesha yedijithali ukuze ifake engozini i-UEFI Secure Boot.

Okokugcina Kuyafaneleka ukusho ukuthi ukulungiswa kukhishwe njengesichibi., ukulungisa izinkinga ku-GRUB2, akwanele ukuvuselela iphakheji, uzodinga futhi ukudala amasignesha amasha edijithali angaphakathi futhi ubuyekeze izifaki, izilayishi, amaphakheji e-kernel, fwupd-firmware kanye ne-shim-layer.

Isimo sokulungisa ubungozi ekusatshalalisweni singahlolwa kulawa makhasi: Ubuntu, SUSE, RHELFedoraI-Debian.

Ungahlola okuningi ngakho ku- isixhumanisi esilandelayo.