Kusagadzikana kwakawanda kwakawanikwa muWayland's hotkey maneja

Mazuva mashoma apfuura nhau dzakaburitswa idzo kuwanda kwekusagadzikana kwakawanikwa mu swhkd (Simple Wayland HotKey Daemon) inokonzerwa nekubata zvisirizvo kwemafaira enguva pfupi, sarudzo dzemutsara wemirairo uye unix sockets.

Iyo purogiramu yakanyorwa muRust uye inobata hotkeys munzvimbo dzakavakirwa paWayland protocol (iyo configuration file-compatible analog ye sxhkd process inoshandiswa mu X11-based environments). Iyo pasuru inosanganisira isina kurongeka swhks maitiro anoita zviito zvehotkeys uye swhkd yekumashure maitiro ayo anomhanya semudzi uye anodyidzana nemidziyo yekupinza padanho reiyo API. Kuronga kudyidzana pakati pe swhks ne swhkd, socket ye Unix inoshandiswa.

Mitemo yePolkit inobvumira chero mushandisi wepanzvimbo kuti amhanye iyo /usr/bin/swhkd muitiro semudzi uye kupfuudza maparamendi kwairi.

Iko kubatanidzwa kweRPM package yakaunzwa kune yakavhurikaSUSE Tumbleweed yaive isina kujairika Polkit mitemo mu tsananguro faira yaida kuongororwa neSUSE timu yekuchengetedza.

Nekuda kwekuongorora, nyaya dzakawanda dzekuchengetedza dzakaonekwa. Matambudziko ega ega anotsanangurwa mune yakadzama mushumo pazasi.

Of the kusasimba kwakaonekwa, zvinotevera zvakataurwa:

CVE-2022-27815

Uku kunetseka inobvumira kuchengetedza maitiro ePID mufaira rine zita rinofanotaurwa uye mubhuku rinonyorwa kune vamwe vashandisi (/tmp/swhkd.pid), apo chero mushandisi anogona kugadzira /tmp/swhkd.pid faira uye kuisa pid yemaitiro aripo mairi, izvo zvichaita kuti zvisaite kutanga swhkd.

Mukushaikwa kwedziviriro kubva pakugadzira zvinongedzo zvekufananidzira mu /tmp, kusagadzikana kunogona kushandiswa kugadzira kana kunyora pamusoro mafaera mune chero dhairekitori pane system (iyo PID yakanyorerwa faira) kana kuona zvirimo mune chero faira pane sisitimu (swhkd inoburitsa zvese zvirimo muPID faira kuti stdout). Zvinofanira kuonekwa kuti mukugadzirisa kwakasunungurwa, faira yePID haina kuendeswa kune / run directory, asi kune / etc directory (/etc/swhkd/runtime/swhkd_{uid}.pid), iyo isiri iyo .

CVE-2022-27814

Uku kunetseka inokutendera iwe kuti ushandise iyo "-c" yekuraira mutsara sarudzo yekutsanangura faira yekumisikidza inogona kuona kuvepo kwechero faira pane system.

Sezvakaitika pakusagadzikana kwekutanga, kugadzirisa dambudziko kunokatyamadza: kugadzirisa dambudziko rinodzika kusvika pakuti "katsi" yekunze inoshandiswa ('Command::new("/bin/cat").arg(gwara) ikozvino yatangwa kuverenga iyo config file.output()').

CVE-2022-27819

Dambudziko iri ine chekuitawo nekushandiswa kwe "-c" sarudzo, iyo inoremedza uye kupatsanura iyo yese faira yekumisikidza pasina kutarisa saizi uye rudzi rwefaira.

Semuenzaniso, kukonzeresa kurambwa kwesevhisi nekuda kwekushaya ndangariro yemahara uye kugadzira yakarasika I/O, unogona kutsanangura mudziyo wekuvhara pakutanga ("pkexec /usr/bin/swhkd -d -c /dev/sda») kana chigadziriso chinoburitsa data risingaperi.

Nyaya yakagadziriswa nekugadzirisazve maropafadzo asati avhura faira, asi mhinduro haina kukwana sezvo chete User ID (UID) inogadziriswa, asi Group ID (GID) inoramba yakafanana.

CVE-2022-27818

Uku kunetseka inokubvumira kushandisa /tmp/swhkd.sock faira kugadzira Unix socket, iyo inogadzirwa mudhairekitori reruzhinji rinonyorwa, zvichikonzera nyaya dzakafanana kune yekutanga kusagadzikana (chero mushandisi anogona kugadzira /tmp/swhkd.sock uye kugadzira kana kupindira zviitiko zvekiyi).

CVE-2022-27817

Mukusagadzikana uku, zviitiko zvekupinza zvinogamuchirwa kubva kumidziyo yese uye mumasesheni ese, kureva kuti, mushandisi mune imwe Wayland kana console sesheni anogona kubata zviitiko kana vamwe vashandisi vakadzvanya hotkeys.

CVE-2022-27816

Maitiro eSwhks, senge swhkd, anoshandisa iyo PID faira /tmp/swhks.pid mune inonyorwa pachena /tmp dhairekitori. Iyo nyaya yakafanana neyekutanga kusagadzikana, asi kwete senjodzi, sezvo swhks inomhanya pasi peasina rombo mushandisi.

Chekupedzisira, kana iwe uchifarira kuziva zvakawanda nezvazvo, unogona kubvunza iyo ruzivo mune inotevera chinongedzo.


Izvo zviri muchinyorwa zvinoomerera pamisimboti yedu ye tsika dzekunyora. Kuti utaure chikanganiso tinya pano.

Iva wekutanga kutaura

Siya yako yekutaura

Your kero e havazobvumirwi ichibudiswa.

*

*

  1. Inotarisira data: AB Internet Networks 2008 SL
  2. Chinangwa cheiyo data: Kudzora SPAM, manejimendi manejimendi.
  3. Legitimation: Kubvuma kwako
  4. Kutaurirana kwedata
  5. Dhata yekuchengetedza: Dhatabhesi inobatwa neOccentus Networks (EU)
  6. Kodzero: Panguva ipi neipi iwe unogona kudzora, kupora uye kudzima ruzivo rwako