Ubuthathaka obuninzi bufunyenwe kwiiprojekthi ezahlukeneyo zomthombo ovulekileyo

Zimbalwa iintsuku ezidlulileyo inani lobhengezo lobuthathaka lwenziwa luluntu kwiiprojekthi ezahlukeneyo zomthombo ovulekileyo kwaye yeyiphikubaluleke ngakumbi lowo wafunyanwayo kwilayibrari ye-cryptographic ye-OpenSSL, ebangelwa yi-bug ekuphunyezweni kwe-adder kumsebenzi we-BN_mod_exp, obangela ukuba isiphumo esingalunganga somsebenzi we-squaring sibuyiswe.

Ingxaki sele ibhalwe phantsi I-CVE-2021-4160 kwaye yedwa kwenzeka kwihardware esekwe kwiMIPS32 kunye neMIPS64 yezakhiwo kwaye inokunciphisa i-elliptic curve algorithms, kuquka nezo zisetyenziswa ngokungagqibekanga kwi-TLS 1.3. Umba walungiswa kuhlaziyo lukaDisemba kwi-OpenSSL 1.1.1m kunye ne-3.0.1.

Ukongeza, kubonwa ukuba ukuphunyezwa kohlaselo lokwenyani ukufumana ulwazi malunga nezitshixo zabucala usebenzisa ingxaki echongiweyo ithathelwa ingqalelo kwi-RSA, i-DSA kunye ne-Diffie-Hellman algorithm (DH, Diffie-Hellman) ngokusemandleni, kodwa akunakwenzeka, kunzima kakhulu ukwenza kwaye kufuna izixhobo ezininzi zekhompyuter.

Ngexesha elifanayo, ukuhlaselwa kwe-TLS akubandakanywanga, njengoko ku-2016, xa ubuthathaka be-CVE-2016-0701 bususiwe kwaye ukwabelana nge-DH yangasese ikhiye ngabathengi kwakungavunyelwe.

Olunye ubungozi oko kwatyhilwa I-CVE-2022-0330 kwaye wachongwa kwi i915 umqhubi wemizobo inxulumene nokubekwa ngokutsha kweGPU TLB elahlekileyo. Kwimeko apho i-IOMMU (ukuguqulelwa kwedilesi) ingasetyenziswanga, ukuba sesichengeni kuvumela ufikelelo kumaphepha angaqhelekanga enkumbulo ukusuka kwindawo yomsebenzisi.

Ingxaki ingasetyenziselwa ukonakalisa okanye ukufunda idata kwiindawo ezingaqhelekanga zenkumbulo. Umba uyenzeka kuzo zonke ii-Intel GPUs ezidityanisiweyo kunye nezicacileyo. Ulungiso luphunyezwa ngokongeza ukugungxulwa kwe-TLB okunyanzelekileyo phambi kokuba i-GPU nganye isebenze ngasemva kwinkqubo, eya kukhokelela ekuthotyweni kokusebenza. Impembelelo yokusebenza ixhomekeke kwiGPU, imisebenzi eyenziwa kwiGPU, kunye nomthwalo wenkqubo. Ulungiso okwangoku lufumaneka kuphela njengepetshi.

nazo zafunyanwa ubuthathaka kwithala leencwadi le-Glibc elisemgangathweni ezichaphazela imisebenzi indlela yokwenyani (I-CVE-2021-3998) kwaye getcwd (I-CVE-2021-3999). Ingxaki kwirealpath() ichazwa njengebangelwa kukubuyisela ixabiso elingasebenziyo phantsi kweemeko ezithile, eziqulethe idatha engacocekanga eyintsalela esuka kwisitaki. Kwinkqubo ye-SUID-root fusermount, ukuba sesichengeni kungasetyenziswa ukufumana ulwazi olubuthathaka kwinkumbulo yenkqubo, umzekelo, ukufumana ulwazi malunga nezikhombisi.

Ingxaki nge getcwd() ivumela isithinteli sebhayithi enye ukuphuphuma. Ingxaki ibangelwa ligciwane ebelikho ukusukela ngo 1995. Ukufowunela ukuphuphuma, kwindawo eyahlukileyo yendawo yegama, vele ufowunele chdir() kulawulo "/". Akuxelwa ukuba ubuthathaka bukhawulelwe ekuqhubeni iziphene, kodwa kuye kwakho iimeko zokusebenzisa ubuthathaka obunjalo kwixesha elidlulileyo, ngaphandle kokuthandabuza okuvela kubaphuhlisi.

Kobunye ubuthathaka eziye zachongwa mva nje kwiiprojekthi zomthombo ovulekileyo:

  • Ukonakala I-CVE-2022-23220: kwiphakheji ye-usbview evumela abasebenzisi basekhaya ukuba bangene nge-SSH ukusebenzisa ikhowudi njengengcambu, ngenxa yocwangciso (allow_any=ewe) kwimigaqo yePolKit ukusebenzisa usetyenziso lwe-usbview njengengcambu ngaphandle koqinisekiso. Umsebenzi uphelela ekusebenziseni "-gtk-modyuli" ukhetho lokulayisha ilayibrari yakho kwi-usbview. Ingxaki yalungiswa kwi-usbview 2.2.
  • Ukonakala I-CVE-2022-22942eUmqhubi we-nvmwgfx wegraphics osetyenziselwa ukuphumeza ukukhawuleza kwe-3D kwiindawo ze-VMware. Umba uvumela umsebenzisi ongenalungelo ukufikelela kwiifayile ezivulwe zezinye iinkqubo kwisistim. Uhlaselo lufuna ukufikelela kwisixhobo / dev/dri/card0 okanye /dev/dri/rendererD128 kunye nokukwazi ukwenza ioctl () umnxeba kunye nenkcazo yefayile efunyenweyo.
  • Ukuba sesichengeni I-CVE-2021-3996 y I-CVE-2021-3995: kwilayibrari ye-libmount enikwe nge-util-linux impahla evumela umsebenzisi ongenanto ukuba anyuse izahlulo zediski ngaphandle kokugunyaziswa ukwenza njalo. Ingxaki ichongiwe ngexesha lophicotho lweenkqubo zeengcambu ze-SUID zenyuka kunye ne-fusermount.

Shiya uluvo lwakho

Idilesi yakho ye email aziyi kupapashwa. ezidingekayo ziphawulwe *

*

*

  1. Inoxanduva lwedatha: I-AB Internet Networks 2008 SL
  2. Injongo yedatha: Ulawulo lwe-SPAM, ulawulo lwezimvo.
  3. Umthetho: Imvume yakho
  4. Unxibelelwano lwedatha: Idatha ayizukuhanjiswa kubantu besithathu ngaphandle koxanduva lomthetho.
  5. Ukugcinwa kweenkcukacha
  6. Amalungelo: Ngalo naliphi na ixesha unganciphisa, uphinde uphinde ucime ulwazi lwakho.