Dambudziko rakawanikwa mu Ghostscript iyo yaigona kubvumidza kuitiswa kwekodhi

Mashoma apfuura mazuva avakaburitsa nhau yezvakazivikanwa kunetsekana muGhostscript (CVE-2020-15900) chii chaigona kukonzera faira kuchinjwa uye nekumanikidza kuraira kuitisa paunovhura zvakanyatso nyorwa zvinyorwa zvePostScript.

Kune avo vasingazive nezve Ghostscript vanofanira kuziva izvozvo iyi injini yekupa yePoscriptcript uye zvemukati zvePDF uye inowanzo shandiswa kushandura zvinyorwa zvePDF uye zvePostcript kuva mifananidzo yekutarisa, thumbnail uye kudhinda zvinangwa.

Iyo zvakare inoshandiswa kune yakazara-mhando gwaro kuburitsa kwevakawanda PDF vanoona, kusanganisira vanozivikanwa vanoona paAroid, uye iri kupihwa marezenisi nemakambani akati wandei akadai seGoogle ekupa mugore.

Nezve kukuvadzwa muGhostscript

Iyo bhaggi yakaonekwa mukushandiswa kweyeye yekutsvaga opareta Asiri-akajairwa PostScript mune gwaro rinotendera kukonzera kuwanda kwerudzi uint32_t kana uchiverenga saizi, nyora nzvimbo dzekurangarira kunze kweye buffer kupihwa uye kuwana mukana wefaira pane iyo fileystem, iyo inogona kushandiswa kuita kurwisa kuti uite kodhi yekumanikidza pachirongwa (semuenzaniso, nekuwedzera mirairo ku ~ / .bashrc kana ~ / .profile).

Iyo snippet yakawanikwa neAFL yakasundira tambo isina chinhu mudura: mabhureki asina chinhu (), akateedzera chirevo kune izvi, zvichikonzera kurongedzwa netambo mbiri dzisina chinhu () () uyezve ndokutarisa kumashure. Mune mamwe mazwi, yanga ichitsvaga tambo isina chinhu mune tambo isina chinhu, kutanga kubva kumagumo.

Nehurombo vakapotsa kesi yemuganhu panotsvakwa tambo isina chinhu. Kana uchitsvaga tambo isina chinhu, izvi zvinotsanangurwa sekukurumidza kubudirira: hapana chekutsvaga, saka tinosvetukira kusvika kumagumo. Nekudaro, mhedzisiro yacho inofanirwa kuve yakakamurwa kuita pre-match, match, uye post-match kukosha. Nehurombo, kodhi yacho yaifungidzira kuti takange tatarisa kamwechete uye takaverenga kureba kwemhedzisiro yemushure memutambo zvisirizvo nekubvisa imwe kubva pa zero, zvichikonzera kudzoka kune yakanyanya kukosha: 4,294,967,295.

Iko kukanganisa iko kukanganisa kwehuori kwekurangarira uko kune mukana wekutadza uye zvinoitika nguva dzose. Hapana chikonzero chekubata nevarindi vanochengeta, nezvimwewo, ingoverenga uye nyora chero chaunoda pachikamu chikuru chendangariro. Izvi zvakaita kuti zvive nyore kwazvo kune mumwe munhu asiri ruzivo anoshandisa munyori kuishandisa.

Nekuda kweichi kufashukira, tambo iyi yanga isati yapihwa uye haina kutora nzvimbo chaiyo, asi yaive nehurefu hwakawedzera kune imwe ndangariro. Kuedza kuverenga kana kunyora kuti ndangariro mumadhiresi akasarudzika kwaizobuda kunze kwemiganhu yekuyeuka, nekudaro kwese kukundikana kunopisa. Nekudaro, isu tinogona kuchengeta referensi kubvumidza mashandisiro ayo tichishandisa iyi kodhi snippet:

Zvakakosha kufunga nezve izvo kusagadzikana muGhostscript kwakanyanya kukombasezvo pasuru iyi inoshandiswa mune akawanda anozivikanwa PostScript uye maPDF ekugadzirisa mashandisirwo. Semuenzaniso, Ghostscript inodaidzwa kana ichigadzira zvigunwe pa desktop, kana uchinongedzera dhata kumashure, uye kana uchishandura mifananidzo.

Kuti ubudirire kurwisa, muzviitiko zvakawanda, zvinokwana kungotora faira rekushandisa kana kutarisa dhairekitori naro muNautilus.

Kuzvibata muGhostscript kunogona zvakare kushandiswa kuburikidza nemadhiraivha emifananidzo zvichibva pane iyo ImageMagick uye GraphicsMagick mapakeji, ichipfuura iyo JPEG kana PNG faira, iyo ine PostScript kodhi pachinzvimbo chemufananidzo (iyi faira ichagadziriswa mu Ghostscript, nekuti iyo MIME mhando inozivikanwa neizvo zvirimo, uye pasina zvichienderana nekuwedzera).

Solution

Iyo nyaya inokanganisa vhezheni 9.50 kusvika 9.52 (Bug ranga riripo kubvira vhezheni 9.28rc1, asi sekureva kwevaongorori vakaona kusagadzikana, yakaonekwa kubvira vhezheni 9.50).

Asi gadziriso yakanga yatove yakarongedzwa mushanduro 9.52.1 kuwedzera kune izvo uyemishumo yakaburitswa yemapakeji mapakeji ekuparadzirwa kweLinux senge Debian, Ubuntu uye SUSE.

Ipo mapakeji muRHEL asina kukanganiswa.

mabviro: https://insomniasec.com


Iva wekutanga kutaura

Siya yako yekutaura

Your kero e havazobvumirwi ichibudiswa. Raida minda anozivikanwa ne *

*

*

  1. Inotarisira data: AB Internet Networks 2008 SL
  2. Chinangwa cheiyo data: Kudzora SPAM, manejimendi manejimendi.
  3. Legitimation: Kubvuma kwako
  4. Kutaurirana kwedata
  5. Dhata yekuchengetedza: Dhatabhesi inobatwa neOccentus Networks (EU)
  6. Kodzero: Panguva ipi neipi iwe unogona kudzora, kupora uye kudzima ruzivo rwako