Kusagadzikana kwaonekwa muzlib

Munguva pfupi yapfuura nhau dzekusagadzikana muraibhurari yezlib dzakaburitswa yakatonyorwa pasi peCVE-2018-25032 ichikonzera buffer kufashukira paunenge uchiedza kudzvanya yakanyatsogadzirirwa hunhu kutevedzana mune iri kuuya data.

Mune chimiro chayo chazvino, iyo vaongorori vakaratidza mukana wekudaidza kugumiswa kusiri kwakajairika yemaitiro, saka haisati yadzidzwa kana dambudziko ringave nemhedzisiro yakakomba.

Izvo zvinotaurwa kuti kushomeka yakazviratidza kubva zlib 1.2.2.2 uye inokanganisa shanduro yezvino ye zlib 1.2.11. Zvinokosha kuziva kuti chigamba chinogadzirisa kusadzivirirwa chakakurudzirwa muna 2018, asi vanogadzira havana kuzviteerera uye havana kuburitsa vhezheni yekururamisa (iyo raibhurari yezlib yakapedzisira kuvandudzwa muna 2017).

Iyi bug yakataurwa naDanilo Ramos weEideticom, Inc uyo akanga achifamba-famba kwemakore 13 asati awanikwa! Bug yakasumwa mu zlib 1.2.2.2, pamwe nekuwedzera kweZ_FIXED sarudzo. Iyo sarudzo inomanikidza kushandiswa kweakagadziriswa makodhi eHuffman. Zvekupinda zvisingawanzo ne
akawanda machisi ari kure, iyo yakamirira buffer mairi compressed data yakanyorwa inogona kunyorwa. Izvozvo zvinoguma nekusvibiswa kwekubuda nekuda kwe madaro asina kufanira, uye anogona kuguma nekupinda kunze kwemiganhu, kukanganisa app.

Kunetseka inoratidzira kana iyo yekupinda rwizi ine nhamba yakakura yemachisi kurongedza, kune izvo kurongedza kunoshandiswa zvichienderana neHuffman kodhi fixed. Mune mamwe mamiriro ezvinhu, zviri mukati meiyo yepakati buffer umo yakamanikidzwa mhedzisiro inogona kupindirana nendangariro inochengeterwa tafura yechiratidzo. Nekuda kweizvozvo, kuumbwa kweiyo isiriyo yakamanikidzwa data uye kuparara nekuda kwekunyora kunze kwemuganho webuffer kunoonekwa.

Kunetseka inogona kushandiswa chete nedhisheni yekumanikidza yakavakirwa pane yakatarwa Huffman makodhi. Nzira yakafanana inosarudzwa kana Z_FIXED sarudzo yakanyatsobatanidzwa mukodhi (muenzaniso wekutevedzana kunokonzera kukanganisa paunenge uchishandisa Z_FIXED sarudzo). Tichitarisa kubva kukodhi iyo Z_FIXED zano rinogona zvakare kusarudzwa otomatiki kana miti yakakwana uye isingachinjiki yakaverengerwa data ine saizi yakafanana.

Mhinduro pano inosanganisa chinhambwe chebhafa uye chaiyo/kureba buffers muchiratidzo chimwe chete buffer. Zvino mabhayiti matatu dbuffer nzvimbo inovhurwa yega yega kana kureba/chinhambwe inopedzwa pair, panzvimbo yemabyte maviri apfuura izvi zvinovimbisa
kuti iyo yakamirira buffer haigone kupfuudza tafura yechiratidzo, kubvira iyo yakanyanya kudzvanywa yakamisikidzwa kodhi kureba / kureba ndeye 31 bits, uye sezvo kune mabhayiti mana enzvimbo yakasarudzika yemabheti matatu ega ega yenzvimbo yechiratidzo.

Hazvisati zvanyatsojeka kana mamiriro ekushandisa kusazvibata anogona kuenderana neZ_DEFAULT_STRATEGY compression strategy, iyo inoshandiswa nekusingaperi.

Zvikasadaro, kusazvibata kunogumira kune mamwe masisitimu uko iyo Z_FIXED sarudzo inoshandiswa zvakajeka. Kana zvirizvo, kukuvadzwa kubva mukusagadzikana kunogona kuve kwakakosha, sezvo raibhurari yezlib iri iyo de facto chiyero uye inoshandiswa mumapurojekiti mazhinji anozivikanwa, anosanganisira Linux kernel, OpenSSH, OpenSSL, apache httpd, libpng, FFmpeg, rsync, dpkg. , rpm, Git, PostgreSQL, MySQL, nezvimwe.

Izvo zvinotaurwa zvakare kuti iyo yakasarudzwa parameter iyo iyo vulnerability inozviratidza pakusarudza iyo yekumisikidza yakasarudzika zano Z_DEFAULT_STRATEGY. Mumamiriro ezvinhu chaiwo, kurwiswa kuchiri kuonekwa sezvisingaiti, sezvo kushandiswa uchishandisa nhevedzano yakaratidzwa kunoda kuseta memLevel parameter kusvika 1, nepo nhanho yechisere ichisarudzwa nekusingaperi.

Muenzaniso wekutevedzana kwekiyi apo "deflateInit2(&strm, 7, Z_DEFLATED, 15, 1, Z_DEFAULT_STRATEGY)" inonzi (level=7, windowBits=15, memLevel=1).

Finalmente inofanira kutaurwa kuti mhinduro hainawo kubatanidzwa zvichiri mumapakeji anopihwa nekugovera, kuti iwe ugone kuteedzera kuburitswa kwezvigadziriso nekugovera pamapeji aya: DebianRHELFedorasuseUbuntu, Arch LinuxOpenBSD  FreeBSDNetBSD, pamwe neraibhurari yezlib-ng haina kukanganiswa nedambudziko.

Kana iwe uchifarira kuziva zvakawanda nezvazvo, unogona kutarisa ruzivo Mune inotevera chinongedzo.


Izvo zviri muchinyorwa zvinoomerera pamisimboti yedu ye tsika dzekunyora. Kuti utaure chikanganiso tinya pano.

Iva wekutanga kutaura

Siya yako yekutaura

Your kero e havazobvumirwi ichibudiswa.

*

*

  1. Inotarisira data: AB Internet Networks 2008 SL
  2. Chinangwa cheiyo data: Kudzora SPAM, manejimendi manejimendi.
  3. Legitimation: Kubvuma kwako
  4. Kutaurirana kwedata
  5. Dhata yekuchengetedza: Dhatabhesi inobatwa neOccentus Networks (EU)
  6. Kodzero: Panguva ipi neipi iwe unogona kudzora, kupora uye kudzima ruzivo rwako