'Yan kwanaki da suka gabata labari ya bayyana cewa an gano mawuyacin rauni en manajan dogara mawaki (CVE-2021-29472) wanda ke ba ka damar aiwatar da umarni ba tare da izini ba a kan tsarin yayin aiwatar da kunshin tare da ƙayyadadden ƙimar URL wanda ke ƙayyade shugabanci don saukar da lambar tushe.
Matsalar ta bayyana kanta a cikin abubuwan GitDriver, SvnDriver da HgDriver amfani da tsarin Git, Subversion, da Mercurial. An daidaita yanayin rauni a cikin sigar Composer 1.10.22 da 2.0.13.
Musamman, matattarar kunshin Packagist na Composer, wanda ya ƙunshi kunshin masu haɓaka PHP 306.000 kuma yana ba da zazzagewa sama da biliyan 1.400 a kowane wata, abin ya shafa musamman.
A cikin tsarin halittu na PHP, Composer shine babban kayan aiki don sarrafawa da shigar da dogaro da software. Teamsungiyoyin ci gaba a duk duniya suna amfani da shi don sauƙaƙe aikin haɓakawa da tabbatar da aikace-aikacen da ke gudana ba tare da ƙetare ko'ina cikin yanayin da sigar ba.
Gwajin ya nuna cewa idan akwai bayani game da matsalar, maharan za su iya karɓar kayan aiki na Packagist kuma su katse takaddun masu kula ko kuma tura zazzage fakitin zuwa uwar garken ɓangare na uku, suna shirya isar da nau'ikan kunshin tare da canje-canje. masu amfani da ƙeta don maye gurbin bangon baya yayin shigarwar dogaro.
Hadarin ga masu amfani da shi yana da iyaka saboda gaskiyar cewa yawancin mai amfani.json yawanci ana bayyana shi ne kuma ana danganta hanyoyin zuwa asalin lokacin samun damar ɗakunan ajiya na ɓangare na uku, wanda yawanci abin dogaro ne. Babban bugun ya faɗo kan ma'ajiyar Packagist.org da sabis na Masu zaman kansu, wannan kiran Mawaki tare da canja wurin bayanan da aka karɓa daga masu amfani. Maharan za su iya yin amfani da lambar su a kan sabobin Packagist ta hanyar watsar da fakiti na musamman.
Theungiyar Packagist ta warware matsalar rashin lafiyar cikin awanni 12 na sanarwar na rauni. Masu bincike sun sanar da masu haɓaka Packagist a asirce a ranar 22 ga Afrilu, kuma an daidaita batun a wannan ranar. An sake sabunta wani mai tsara waka tare da gyara yanayin rauni a ranar 27 ga Afrilu, kuma an bayyana cikakken bayanin a ranar 28 ga Afrilu. Binciken abubuwan rajistan ayyukan a kan sabobin Packagist bai bayyana wani aikin shakku da ke tattare da yanayin rauni ba.
Kurakuran allura masu hujja aji ne mai matukar ban sha'awa na kurakurai waɗanda galibi ba a kulawa da su yayin nazarin lambobi kuma ba a kula da su gaba ɗaya a cikin hulɗar akwatin baƙin.
Matsalar ta samo asali ne daga kuskure a cikin lambar ingancin URL a cikin fayil ɗin mawallafin tushe.json kuma a cikin hanyoyin saukar da tushe. Kuskuren ya kasance a cikin lamba tun daga Nuwamba Nuwamba 2011. Packagist yana amfani da yadudduka na musamman don gudanar da sauke lambobin ba tare da an haɗa shi da wani takamaiman tsarin kula da tushe ba, wanda aka aiwatar ta hanyar kiran "fromShellCommandline" tare da muhawarar layin umarni.
Babban matsalar shine cewa hanyar Hanyar Mai ba da izini ta ba ka damar saka kowane ƙarin sigogin kira a cikin URL ɗin. Irin wannan tserewa ta ɓace daga direbobin GitDriver.php, SvnDriver.php da HgDriver.php. Harin GitDriver.php ya sami matsala sakamakon gaskiyar cewa umarnin "git ls-remote" bai goyi bayan bayyana ƙarin jayayya ba bayan hanyar.
Harin kan HgDriver.php ya sami yuwuwa ta hanyar wuce sigar "–config" zuwa ga mai amfani "hq", wanda ke ba da damar shirya aiwatar da kowane umarni ta hanyar sarrafa tsarin "alias.identify".
Ta hanyar shigar da kunshin gwaji tare da irin wannan URL ɗin ga Packagist, masu binciken sun tabbatar da cewa bayan an buga shi, uwar garken su ta karɓi buƙatar HTTP daga ɗayan sabobin Packagist akan AWS wanda ke ƙunshe da jerin fayilolin a cikin kundin adireshin na yanzu.
Ya kamata a lura cewa masu kulawar ba su gano alamun alamun amfani da wannan matsalar ba a baya a cikin masalan jama'a.
A ƙarshe, idan kuna da sha'awar sanin ƙarin abubuwa game da shi, kuna iya tuntuɓar cikakkun bayanai A cikin mahaɗin mai zuwa.