Muchengeti wekuchengetedza neGitHub akazivisa munguva pfupi yapfuura waona kusagadzikana (CVE-2020-16125) muGNOME Ratidza Mutariri (GDM), iri basa rekuratidzira rekupinda skrini.
Yakasanganiswa neimwe njodzi mune account account sevhisi (maakaunzi-daemon), dambudziko rinotendera kodhi kumhanya semidzi. Iyo kusagadzikana kunosanganisirwa nekwakasarudzika kuvhurwa kwekutanga gadziriso yekushandisa kana zvisingaite kuwana iyo account daemon sevhisi kuburikidza neDBus.
Nezve kusagadzikana
Mushandisi asina rombo anogona kupaza maaccount-daemon maitiro kana kusungirira, chii chichagadzira mamiriro yeiyo gnome-yekutanga-setup yekushandisa inomhanya kubva kuGDM, kuburikidza iyo mushandisi mutsva anogona kunyoresa senhengo yeboka reSudo, ndiko kuti, anokwanisa kumhanyisa zvirongwa semidzi.
Kazhinji, GDM inodaidza gnome-yekutanga-setup kumisikidza mushandisi wekutanga kana pasina maakaundi muhurongwa. Kuongorora kwekuvapo kweakaundi kunoitwa nekubata maakaunzi-daemon. Kana iyo nzira yakatsanangurwa ikatadza, GDM inofunga kuti maakaunzi aripo uye inotanga maitiro ekutanga ekugadzirisa.
Iye muongorori akaona nzira mbiri dzekukanganisa maitiro edemon-account- Yekutanga (CVE-2020-16126) inokonzerwa nekukanganisa ropafadzo reset uye yechipiri (CVE-2020-16127) kukanganisa paunenge uchigadzirisa ".pam_envelo" faira.
Uyewo, kumwe kunetseka kwakawanikwa mu daemon-maakaunzi (CVE-2018-14036) inokonzereswa neasirizvo faira nzira yekuongorora uye kubvumira izvo zvemukati zvemafaira mafaira kuti averengerwe pachirongwa.
Izvo zvinokundikana mumaaccount-daemon zvinokonzerwa neshanduko dzakaitwa neVagadziri veUbuntu uye hazviwonekere mune huru account-daemon kodhi yeFreeDesktop chirongwa uye neDebian package.
Iyo CVE-2020-16127 nyaya iripo mune chigamba chakawedzerwa muUbuntu icho chinoshandisa iyo is_in_pam_envelo basa, iyo inoverenga zvirimo mune .pam_envelo faira kubva kumushandisi dhairekitori repamba. Kana iwe ukaisa chinongedzo chinongedzera ku / dev / zero panzvimbo yeiyi faira, iyo account daemon maitiro inorembera pane isingaperi kuverenga mabasa uye inomira kupindura kune zvikumbiro kuburikidza neDBus.
Hazvina kujairika kuti kuve nenjodzi muhurongwa hwazvino hwekushandisa kuve nyore kushandisa. Pane dzimwe nguva, ini ndanyora zviuru zvemitsetse yekodhi kushandisa njodzi.
Mazhinji mashandisirwo emazuva ano anosanganisira hunyengeri hwakaoma, senge kushandisa ndangariro huori kutadza kukanganisa zvinhu zvemanyepo mumurwi, kana kutsiva iyo faira ine symlink kune microsecond chaiyo yekushandisa njodzi ye TOCTOU.
Saka mazuva ano hazvishamise kuwana kusagadzikana kusingade hunyanzvi hwekukodha kushandisa. Ini zvakare ndinofunga kuti kushomeka kuri nyore kunzwisisa, kunyangwe kana usina ruzivo rwemberi rwekuti Ubuntu anoshanda sei kana ruzivo mukutsvaga kwekuchengetedza.
CVE-2020-16126 kunetseka kunokonzerwa nechimwe chigamba iyo inogadziridza runyararo rwemushandisi rwazvino uchigadzirisa mamwe maDBus mafoni (semuenzaniso, org.freedesktop.Accounts.User.SetLanguage).
Iyo account daemon maitiro inomhanya zvakajairika semudzi, izvo zvinodzivirira akajairika mushandisi kubva kutumira mamasaini.
Asi nekuda kwechigamba chakawedzerwa, rombo rekuita rinogona kugadziriswazve uye mushandisi anogona kupedza izvi nekutumira chiratidzo. Kuti uite kurwisa, ingo gadzira iwo mamiriro ekubvisa rombo (RUID) uye utumire SIGSEGV kana SIGSTOP chiratidzo kune account daemon maitiro.
Mushandisi anopedzisa chikamu chemifananidzo uye anoenda kune chinyorwa chinyorwa (Ctrl-Alt-F1).
Mushure mekunge chikamu chemifananidzo chapera, GDM inoedza kuratidza iyo login screen, asi inorembera kana ichiedza kuwana mhinduro kubva kumaaccount-daemon.
Iyo SIGSEGV uye SIGCONT zviratidzo zvinotumirwa kubva kunyaradzo kuenda kuaccount daemon maitiro, ichikonzera kuti iturike.
Iwe unogona zvakare kutumira masaini usati wabuda muchikamu chemifananidzo, asi iwe unofanirwa kuzviita nekunonoka kuve nenguva yekupedzisa musangano uye chiratidzo chisati chatumirwa, GDM yakave nenguva yekutanga.
Chikumbiro kune maakaoni daemon muGDM chinokundikana uye GDM inodaidza iyo yekushandisa gnome-yekutanga-setup, mune iyo interface inokwana kugadzira account nyowani.
Iyo kusagadzikana kunogadziriswa muGNOME 3.36.2 uye 3.38.2. Kushandiswa kwekushushikana kwakasimbiswa muUbuntu uye zvigadzirwa zvacho.
mabviro: https://securitylab.github.com