Munyori weXZ akaburitsa vhezheni itsva dzekugadzirisa uye shumo pane yekumashure kesi

XZ Linux Utility

Mwedzi miviri yapfuura zvishoma, isu tinogovana pano pablog iyo kesi chinyorwa cheiyo backdoor muXZ utility, Muchinyorwa ichocho ndakagoverawo maonero angu andakataura, uye ndicharamba ndichitaura, kuti nyaya iyi ichava chimwe chinhu chichazotaurwa kwenguva refu, kubvira. "Ndiwo mumwe wemienzaniso yakanakisa yekushandisa social engineering."

Uyewo Panguva iyoyo takagovana zvimwe zvinyorwa, apo zviito zvakasiyana-siyana zvakatorwa munyaya yacho zvakabatanidzwa, pamwe chete kuti mamiriro acho ezvinhu aibvira sei uye zvicharamba zvisingaonekwi kwenguva yakareba.

backdoor XZ
Nyaya inoenderana:
Zvaigoneka sei kuti Debian ipfuure nekumashure muXZ? Kuongorora kupfupi kwenyaya yacho 

Saka zvino, Munyori uye muchengeti wepakutanga wechirongwa che xz, Lasse Collin, akazivisa kuburitswa kweshanduro itsva dzekugadzirisa. kubva kuXZ Utils 5.2.13, 5.4.7 uye 5.6.2. Idzi shanduro dzinobvisa chikamu chekuseri uye dzimwe shanduko dzinofungirwa dzakambogamuchirwa naJia Tan.

Pamwe chete nekuburitswa kweshanduro dzekugadzirisa, Lasse Collin akagoverawo mushumo wekuongorora paGit repository, kusanganisira shanduko dzakaitwa kubva muna Zvita 2022, panguva iyo Jia Tan aive muchengeti wepurojekiti. Chirevo ichi chinodonongodza shanduko dzakaongororwa padanho rekuita uye rinotaura kuti kunyangwe zvipimo mudura zvisina kusainwa nedhijitari, hapana zviratidzo zvekunyengedzwa nevanozvipira zvakawanikwa. Pakazara, zvisere zvakashata zvakabviswa kubva mudura.

Y kunyange zvazvo pane dzimwe shanduko dzaifungidzirwa yekuunzwa kwekuchinja kwakashata kubva muna 2023, asi isu tinogona kuona kuti mushumo unotsanangura izvo Shanduko dzekutanga dzakaitwa pakuunzwa kweiyo backdoor zuva kudzoka kutanga kwa2024, uko Jia Tan anga atove nezvakawanda zvekuita zvine chekuita nekuunzwa kweiyo backdoor muXZ.

Aya mafaera akadzvanywa akagadzirwa uye akasainwa naJia Tan Aya akaongororwa uye haana zvinhu zvakashata.

NOTA
Iwo ma tags v5.2.11 uye v5.4.2 muGit repository akasainwa naJia Tan, asi mafaira etara akagadzirwa uye akasainwa neni.
Nezvinotevera zvinosiya, mafaera ari muGit repository anofananidza tar mafaera:

.po mafaera anogadziridzwa sechikamu che make mydist(kana make dist)

ChangeLog ifaira rakagadzirwa mu tar archives.

Imwe neimwe vhezheni inowanikwa mune anopfuura imwechete compression fomati. Iyo .tar decompression yakafanana kune ese mafomati ekumanikidza eshanduro yega yega.

Mazita efaira mu zip mafaira akanaka. Semuenzaniso, iyo faira imwe chete hairatidzike kanopfuura kamwe.

Mafaira ePDF anonetsa kuburitsa sezvo aine chitambi chenguva uye zvakare zvinoenderana neshanduro yezvishandiso zviri kushandiswa. Nekudaro, mafaera ePDF anotaridzika seakajairwa uye saizi yavo yefaira zvakare yakajairwa (inongosiyana nemabheti mashoma).

Mumushumo, zvakare inotaurwa kuti CRC kodhi CLMUL, iyo inoburitsa manyepo enhema paunotarisa neMSAN (memory sanitizer) uye nyaya neOSS Fuzz, haisati yabviswa kubva pachigadziko chekodhi. Kunyange zvazvo iyi code yakarongwa kuti ishandiswezve mune ramangwana, nokuti ikozvino yakasarudzwa kuti irege kuibata kuti irege kuregererwa mumatavi ekare. Hapana shanduko yekufungidzira yakaonekwa mune ekare madhipatimendi akawedzerwa pamberi pekuchinja kwakabatana neiyo backdoor. Pamusoro pezvo, nzvimbo yemafaira epo, metadata mumafaira etar, uye mafaera ane shanduro neshanduro akasimbiswa zvakasiyana.

Pamusoro pazvo, zvakare shanduko dzinonzi dzinosanganisira kusanganisirwa kweakanonoka gadziriso yebug uye kubviswa kwerutsigiro rweIFUNC mechanism yakapihwa muGlibc yekufona isina kunanga basa, iyo yaishandiswa kuronga backdoor basa rekubata. Izvo zvakakosha kuti uzive kuti kushandisa IFUNC kunongoomesa kodhi uye kuwana kwekuita hakuna basa. Sekuchenjerera, iyo XZ logo, PDF vhezheni yemapeji emurume, uye bvunzo mbiri dzeiyo x86 uye SPARC zvivakwa, izvo zvakagadziridza mafaera echinhu seyekupinza, zvakabviswawo kubva pasource package.

Kana ari kugadzirisa kwakaitwa, inowanikwa semuenzanisokana mu xzdec decoder yakawedzera tsigiro yeABI vhezheni 4 yemuchina wekuzviparadzanisa nevamwe yeLandlock application. Pamusoro pezvo, iyo "-enable-doxygen" sarudzo yakawedzerwa kune Autotools kuvaka zvinyorwa uye ENABLE_DOXYGEN parameter yakawedzerwa kuCmake script kugadzira uye kuisa zvinyorwa zve liblzma API uchishandisa Doxygen. Zvinyorwa zvakambogadzirwa zvakabviswawo kubva pasuru kudzikisa saizi uye kuoma.

pakupedzisira kana uri kuda kuziva zvakawanda nezvazvo, Unogona kutarisa ruzivo rwechinyorwa mu inotevera chinongedzo.


Siya yako yekutaura

Your kero e havazobvumirwi ichibudiswa. Raida minda anozivikanwa ne *

*

*

  1. Inotarisira data: AB Internet Networks 2008 SL
  2. Chinangwa cheiyo data: Kudzora SPAM, manejimendi manejimendi.
  3. Legitimation: Kubvuma kwako
  4. Kutaurirana kwedata
  5. Dhata yekuchengetedza: Dhatabhesi inobatwa neOccentus Networks (EU)
  6. Kodzero: Panguva ipi neipi iwe unogona kudzora, kupora uye kudzima ruzivo rwako