Trojan Source, kurwisa kunobvumira kuwedzera kodhi shanduko isingaonekwe kumugadziri

Mazuva mashoma apfuura Vatsvagiri veCambridge University vakaburitswa kuburitswa kwa nzira yekutsiva macode zvine hungwaru zvakashata mune application source code.

Nzira yekurwisa yakagadzirira izvozvo Yakatonyorwa pasi peCVE-2021-42574 Inouya pasi pezita reTrojan Source uye yakavakirwa pakuumbwa kwemavara anotaridzika zvakasiyana kune muunganidzi / muturikiri uye munhu anoona iyo kodhi.

About Trojan Source

Nzira yacho inovimba nekushandisa akakosha Unicode mavara mune kodhi makomendi, iyo inoshandura kurongeka kwekuratidzira kwezvinyorwa zvebidirectional. Nerubatsiro rweaya ekudzora mavara, zvimwe zvikamu zvechinyorwa zvinogona kuratidzwa kubva kuruboshwe kuenda kurudyi, nepo zvimwe kubva kurudyi kuenda kuruboshwe.

Muchiito chemazuva ose, aya mabhii ekudzora anogona kushandiswa, semuenzaniso, kuisa tambo dzechiHebheru kana dzechiArab mufaira rekodhi. Zvakadaro, kana ukashandisa mavara aya kubatanidza mitsetse ine mavara akasiyana-siyana pamutsara mumwe chete, ndima dzemavara anotaridzwa kubva kurudyi kuenda kuruboshwe dzinogona kupindirana aripo ekare mavara anoratidzwa kubva kuruboshwe kuenda kurudyi.

Nenzira iyi, chivakwa chakaipa chinogona kuwedzerwa kune kodhi, asi wobva waita kuti chinyorwa chine chivakwa ichi chisaonekwe paunenge uchiona kodheti, uchiwedzera mavara anoratidzwa kubva kurudyi kuenda kuruboshwe mune inotevera mhinduro kana mukati meiyo chaiyo, izvo zvinozoguma nemugumisiro wemabhii akasiyana zvachose akaiswa pamusoro peiyo ine utsinye inoisa. Kodhi yakadaro icharamba iine semantically yakarurama, asi ichadudzirwa uye inoratidzwa zvakasiyana.

Isu takawana nzira dzekushandisa iyo encoding yemasource code mafaera kuitira kuti vataridzi vevanhu uye ma compiler vaone zvakasiyana zvine musoro. Imwe nzira yakashata inoshandisa Unicode kutungamira mavara kupfuura mavara kuratidza iyo kodhi seanagram yechokwadi logic yayo. Takaona kuti kurwiswa uku kunoshanda kuC, C ++, C #, JavaScript, Java, Rust, Go, nePython, uye tinofungidzira kuti kuchashanda nemimwe mitauro yakawanda yemazuva ano.

Ndichiri kuongorora kodhi, mugadziri achatarisana nekuona kurongeka kwevatambi uye achaona fungidziro yekutaura mupepeti zvinyorwa, web interface kana IDE, asi muunganidzi nemuturikiri achashandisa kurongeka kwemavara uye kubata kodhi yakaipa sezvazviri, zvisinei nerugwaro rwebidirectional mumhinduro. Vanoverengeka vanozivikanwa kodhi edhita (VS Code, Emacs, Atom), pamwe nenzvimbo dzekutarisa kodhi mumarepositori (GitHub, Gitlab, BitBucket, uye zvese zvigadzirwa zveAtlassian) zvinokanganiswa.

Kune nzira dzakawanda dzekushandisa nzira yekushandisa zviito zvakashata: wedzera yakavanzika "kudzoka" kutaura, iyo inotungamirira kukuguma kwekuita basa nguva isati yakwana; mhedziso mukutaura kwezvirevo zvinowanzoonekwa sezvivakwa zvinoshanda (semuenzaniso, kudzima cheki dzakakosha); Kugovera mamwe tambo tsika zvinotungamira kune tambo yekusimbisa kukundikana.

Uyewo, imwe sarudzo yekurwisa yakatsanangurwa (CVE-2021-42694), inosanganisira kushandiswa kwemahomoglyphs, zviratidzo zvinoratidzika zvakafanana muchitarisiko, asi zvakasiyana mune zvazvinoreva uye zvine akasiyana Unicode makodhi. Aya mavara anogona kushandiswa mune mimwe mitauro mune basa uye akasiyana mazita kutsausa vanogadzira. Semuenzaniso, unogona kutsanangura mabasa maviri nemazita asinganzwisisiki anoita zviito zvakasiyana. Pasina ongororo yakadzama, haugone kunzwisisa nekukurumidza kuti nderipi reaya mabasa maviri anodaidzwa mune imwe nzvimbo.

Senzira yekudzivirira, inokurudzirwa kuita mumakongiresi, vaturikiri uye maturusi egungano anotsigira Unicode mavara, achiratidza kukanganisa kana yambiro kungave kune unpaired control characters mucomments, tambo literals, kana identifiers inoshandura inobuda direction. Aya mavara anofanirwawo kurambidzwa zvakajeka mumutauro wechirongwa uye anofanirwa kuverengerwa mumakodhi edhita uye mainterface ekushanda nemarepositori.

kunze kwaizvozvo vulnerabilities yakatotanga kugadziriswa yakagadzirirwa GCC, LLVM / Clang, Rust, Go, Python uye binutils. GitHub, Bitbucket uye Jira zvakare vatove mukugadzirira mhinduro pamwe neGitLab.

Finalmente Kana iwe uchifarira kuziva zvakawanda nezvazvo, unogona kubvunza ruzivo mune inotevera chinongedzo.


Iva wekutanga kutaura

Siya yako yekutaura

Your kero e havazobvumirwi ichibudiswa. Raida minda anozivikanwa ne *

*

*

  1. Inotarisira data: AB Internet Networks 2008 SL
  2. Chinangwa cheiyo data: Kudzora SPAM, manejimendi manejimendi.
  3. Legitimation: Kubvuma kwako
  4. Kutaurirana kwedata
  5. Dhata yekuchengetedza: Dhatabhesi inobatwa neOccentus Networks (EU)
  6. Kodzero: Panguva ipi neipi iwe unogona kudzora, kupora uye kudzima ruzivo rwako