Zimbalwa iintsuku ezidlulileyo Iindaba zaqhekeka zokuba kusengozini enkulu echongiweyo en umphathi wokuxhomekeka Umqambi (CVE-2021-29472) ekuvumela ukuba usebenzise imiyalelo engenakuphikiswa kwinkqubo xa uqhubekeka iphakheji enexabiso le-URL elenziwe ngokukodwa elimisela umkhombandlela wokukhuphela ikhowudi yemvelaphi.
Ingxaki iyazibonakalisa kwiGitDriver, SvnDriver kunye neHgDriver isetyenziswe kwi-Git, Subversion, kunye ne-Mercurial source control systems. Umngcipheko wawulungiswe kwiinguqulelo zoMqambi 1.10.22 kunye no-2.0.13.
Ngokukodwa, indawo yokugcina izinto yePackagist yomqambi engagqibekanga, equlathe iiphakheji zonjiniyela ezingama-306.000 ze-PHP kwaye ibonelela ngaphezulu kokukhutshelwa kwe-1.400 yezigidigidi ngenyanga.
Kwi-ecosystem ye-PHP, uMqambi sisixhobo esiphambili sokulawula kunye nokufaka ukuxhomekeka kwesoftware. Amaqela ophuhliso kwihlabathi liphela ayisebenzisela ukwenza lula inkqubo yokuphucula kunye nokuqinisekisa usetyenziso luhamba ngokungenzame kuzo zonke iimeko kunye neenguqulelo.
Uvavanyo lubonise ukuba ukuba kukho ulwazi malunga nengxaki, abahlaseli banokuthatha ulawulo lwezixhobo zePackagist kwaye bathintele iziqinisekiso zabalondolozi okanye bathumele ukukhutshelwa kweepakeji kwiserver yomntu wesithathu, belungiselela ukuhanjiswa kweenguqulelo zeephakeji notshintsho. Abasebenzisi abakhohlakeleyo bathathe indawo yangaphakathi ngasemva ngexesha lokufakwa kokuxhomekeka.
Umngcipheko wokuphelisa abasebenzisi ukhawulelwe ngenxa yokuba umxholo we composer.json uhlala uchazwa ngumsebenzisi kwaye amakhonkco kumthombo adluliswa xa ufikelela kwindawo yokugcina izinto yomntu wesithathu, ezihlala zithembekile. Ukubethwa okuphambili kwehla kwindawo yokugcina izinto yePackagist.org kunye nenkonzo yabucala yePackagist, oko kubiza umqambi ngokudlulisa idatha efunyenwe kubasebenzisi. Abahlaseli banokuqhuba ikhowudi yabo kwiiseva zePackagist ngokuwisa iphakheji eyenzelwe ngokukodwa.
Iqela lePackagist lisombulule ubungozi kwisithuba seeyure ezili-12 zokwazisa Yokuba sesichengeni. Abaphandi bazise ngasese abaphuhlisi bePackagist ngo-Epreli 22, kwaye umba walungiswa kwangolo suku lunye. Uhlaziyo loMqambi woluntu kunye nokulungiswa komngcipheko lwakhutshwa ngo-Epreli 27, kwaye iinkcukacha zatyhilwa ngo-Epreli 28. Ukuphicothwa kweelogi kwiiseva zePackagist akuzange kuveze nayiphi na into ekrokrisayo enxulumene nokuba sesichengeni.
Iimpazamo zenaliti yokuphikisana iklasi enomdla ngokwenene yeempazamo ezihlala zingahoywa ngexesha lokuphononongwa kwekhowudi kwaye zingajongwa ngokupheleleyo kunxibelelwano lwebhokisi emnyama.
Ingxaki ibangelwa yimpazamo kwikhowudi yokuqinisekisa ye-URL kwifayile yengoma yomqambi.json nakwimithombo yolwazi yokukhuphela. I-bug ibikhona kwikhowudi ukusukela ngo-Novemba ngo-2011. I-Packagist isebenzisa izakhelo ezikhethekileyo ukulawula ukhuphelo lwekhowudi ngaphandle kokubophelela kwinkqubo ethile yolawulo lomthombo, eyenziwa ngokubiza "fromShellCommandline" ngeengxoxo zomgca wokuyalela.
Intliziyo yengxaki kukuba inkqubo ye-ProcessExecutor ikuvumele ukuba uchaze naziphi na iiparameter ezongezelelweyo kwi-URL. Ukuphuma okunjalo kwakulahlekile kwi-GitDriver.php, SvnDriver.php nakwi-HgDriver.php. Uhlaselo lweGitDriver.php luphazanyiswe yinto yokuba "git ls-remote" command khange ixhase ukukhankanya iimpikiswano ezongezelelweyo emva kwendlela.
Uhlaselo lwe HgDriver.php lwalunokwenzeka ngokudlula "-config" ipharamitha kwi "hq" into eluncedo, evumela ukuququzelela ukwenziwa kwawo nawuphina umyalelo ngokukhohlisa u "alias.ifyify" uqwalaselo.
Ngokuthumela iphakheji yovavanyo kunye ne-URL efanayo nePackagist, abaphandi baqinisekisa ukuba emva kokuba ipapashiwe, iseva yabo ifumene isicelo se-HTTP kwenye yeeseva zePackagist kwi-AWS enoluhlu lweefayile kulawulo lwangoku.
Kufuneka kuqatshelwe ukuba abagcini abachazanga zimpawu zokuxhaphaza kwangaphambili kobu bungozi kwimeko kawonkewonke ye-packagist.
Okokugqibela, ukuba unomdla wokwazi okungakumbi ngayo, unokujonga iinkcukacha Kule khonkco ilandelayo.