Ngati agwiritsidwa ntchito molakwika, zolakwika izi zitha kulola kuti oukirawo azitha kupeza zidziwitso zachinsinsi mosavomerezeka kapena kuyambitsa zovuta.
Zambiri zidatulutsidwa za chiopsezo (yolembedwa kale pansi pa CVE-2023-21036) yodziwika mu pulogalamu ya Markup ntchito mafoni Google Pixel kubzala ndikusintha zowonera, zomwe zimalola kubwezeretsa pang'ono kwa zidziwitso zodulidwa kapena zosinthidwa.
Akatswiri Simon Aarons ndi David Buchanan, omwe adapeza kachilomboka ndikutulutsa chida cha kuchira kwa umboni wa Concept, motero, iwo anachitcha kuti Cropalypse ndipo ananena kuti "chilombozi ndi zoipa" kwa anthu nkhawa zachinsinsi chawo.
Izi zikutanthauza kuti ngati wina agwira chithunzi chanu chodulidwa, atha kuyesa kupeza gawo lomwe likuwoneka kuti likusowa. Ngati chithunzicho chinasinthidwa ndi zolemba pamadera ena, madera amenewo akhoza kuwoneka mu chithunzi chobwezeretsedwa. Izi sizabwino kwachinsinsi.
Vuto kuwonekera mukamakonza zithunzi za PNG mu Markup ndipo zimayambitsidwa ndi chakuti pamene chithunzi chosinthidwa chatsopano chalembedwa, deta imayikidwa pamwamba pa fayilo yapitayi popanda truncation, ndiko kuti, fayilo yomaliza yomwe inapezedwa pambuyo pokonza imaphatikizapo mchira wa fayilo yochokera, yomwe deta imakhalabe. data wothinikizidwa.
Vuto Amagawidwa kukhala osatetezeka. popeza wosuta akhoza kutumiza chithunzi chosinthidwa atachotsa deta yovuta, koma kwenikweni detayi imakhalabe mufayilo, ngakhale kuti sikuwoneka panthawi yowonera. Kuti mubwezeretse deta yotsala, ntchito yapaintaneti ya acropalypse.app idayambitsidwa ndipo chitsanzo cha Python script chidasindikizidwa.
Chiwopsezo chakhala chikuwonekera kuyambira pomwe Google Pixel 3 yam'manja idakhazikitsidwa mu 2018 pogwiritsa ntchito firmware yotengera Android 10 ndi mitundu yatsopano. Nkhaniyi idakonzedwa mu March Android firmware update ya mafoni a Pixel.
"Chotsatira chake ndi chakuti fayilo ya fano imatsegulidwa popanda mbendera [yodulidwa], kotero kuti chithunzi chodulidwa chikalembedwa, chithunzi choyambirira sichimadulidwa," adatero Buchanan. "Ngati fayilo yatsopanoyi ndi yaying'ono, mapeto apachiyambi amasiyidwa."
Zigawo za fayilo zomwe zimayenera kudulidwa zidapezeka kuti zitha kubwezeredwa ngati zithunzi pambuyo popanga uinjiniya wa zlib compression library methodology, zomwe Buchahan akuti adatha kuchita "patatha maola angapo akusewera." ". Zotsatira zake ndi umboni wa lingaliro kuti aliyense yemwe ali ndi chipangizo cha Pixel chokhudzidwa atha kudziyesa yekha.
Zimakhulupirira kuti vuto lidachitika chifukwa chakusintha kwamakhalidwe kosagwirizana ndi njira ya ParcelFileDescriptor.parseMode() , momwe, isanatulutsidwe nsanja ya Android 10, mbendera ya "w" (lembani). idapangitsa kuti fayiloyo idulidwe poyesa kulemba ku fayilo yomwe ilipo kale, koma chiyambireni kutulutsidwa kwa Android 10, machitidwe adasintha ndipo kuti achepe adafunikira kufotokoza momveka bwino mbendera ya "wt" (lembani, tsitsani) ndipo mbendera ya "w" itanenedwa, mzere sunachotsedwenso pambuyo polembanso. .
Mwachidule, cholakwika cha "aCropalypse" chinalola wina kutenga chithunzi cha PNG chodulidwa mu Markup ndikusintha zina mwazosinthazo. Ndikosavuta kulingalira zochitika zomwe wosewera woyipa angagwiritse ntchito molakwika lusolo. Mwachitsanzo, ngati mwiniwake wa Pixel adagwiritsa ntchito Markup kukonza chithunzi chomwe chili ndi zinthu zodziwikiratu zokhudza iye mwini, wina angagwiritse ntchito cholakwikacho kuti aulule zomwezo.
Ndikoyenera kutchula izi Google yatulutsa Cropalypse mu awo Zosintha zachitetezo za Marichi Pixel (zambiri za kusatetezeka zisanatulutsidwe):
Zonse zili bwino m'tsogolomu: tsopano mutha kubzala, kusintha, ndikugawana popanda mantha kuti zithunzi zanu zamtsogolo zitha kubwezedwa, koma palibe zithunzi zojambulidwa zomwe zili pachiwopsezo cha kugwiriridwa zomwe zadutsa kale, zokwezedwa ku Discord, ndi zina zotero.
Mapeto ngati mukufuna kudziwa zambiri za izi za kusatetezeka, mutha kuwona zolemba zoyambira pa ulalo wotsatirawu.
Khalani oyamba kuyankha