Umngcipheko omtsha walungiswa kubahleli beeteksti ezifakiweyo kusasazo olwahlukeneyo I-Linux yafunyanwa kubahleli beetekisi zeVim kunye neNeovim (I-CVE-2019-12735).
Ibug ifunyenwe kwaba bahleli ivumela abahlaseli ukuba balawule iikhompyuter xa abasebenzisi bevula ifayile yokubhaliweyo enobungozi. Ingxaki ibonakalisiwe ngomzekelo womsebenzi owenziwe ngokungagqibekanga (": set modeline"), ekuvumela ukuba uchaze iindlela zokuhlela kwifayile eqhutywayo.
IVim kunye nefolokhwe yayo yeNeoVim inesiphene esihlala kwiimodeli. Eli nqaku livumela abasebenzisi ukuba bacacise ubungakanani bewindow kunye nolunye ukhetho lwesiko kufutshane nasekuqaleni okanye esiphelweni sefayile yokubhaliweyo.
Eli nqaku linikwe amandla ngokungagqibekanga kwiinguqulelo ngaphambi kweVim 8.1.1365 Neovim 0.3.6 kwaye isebenza kuzo zonke iintlobo zeefayile, kubandakanya iifayile ze-.txt.
Malunga nokuba sesichengeni kwiVim
Ngokusebenzisa iModeli, linani eliqingqiweyo kuphela lokukhetha elivunyelweyo. SUkuba intetho ichazwe njengexabiso lokukhetha, ibaleka kwimowudi yesandbox, evumela kuphela imisebenzi elula nekhuselekileyo ukuba isetyenziswe.
Kwangelo xesha umyalelo ": umthombo" yenye yezo zivunyelwe, apho ungasebenzisa khona isitshintshi "!" ukuqhuba imiyalelo engenakuphikiswa evela kwifayile echaziweyo.
Ke ngoko, ukwenza ikhowudi, kwanele ukubonisa kwimodeli yendlela yokwakhiwa kwefom "set foldexpr = execute ('\: source! Some_file'):". Kwi-Neovim, umnxeba wokuphumeza awuvumelekanga, kodwa assert_fails inokusetyenziswa endaweni yoko.
Kwelinye icala, kwibhokisi yesanti, yenzelwe ukuthintela iziphumo ebezingalindelekanga:
Izinketho 'foldexpr', 'formatexpr', 'kubandakanyaeexpr', 'indentexpr', 'statusline' kunye 'foldtext' zonke zinokuvavanywa kwibhokisi yesanti. Oku kuthetha ukuba ukhuselekile kwezi ntetho ngeziphumo ebezingalindelekanga ezingathandekiyo. Oku kubonelela ngokhuseleko xa olu khetho luchazwa kwimodeli.
Ngelixa iimodeli zilinganisela imiyalelo ekhoyo kwaye uyenze kwimeko engafaniyo nenkqubo yokusebenza, Umphandi u-Armin Razmjou uqaphele lo myalelo: ifonti! kuthintelwe olu khuseleko:
"Ufunda kwaye enze imiyalelo kwifayile enikiweyo ngokungathi ibingeniswe ngesandla, ewenza wakuba ibhokisi yesanti ishiywe," ubhale watsho umphandi kumyalezo opapashwe ekuqaleni kwale nyanga. -ci.
Ke, umntu unokwakha kancinci umgca wemodeli ohambisa ikhowudi ngaphandle kwebhokisi yesanti.
Iposi ibandakanya iifayile ezibhaliweyo ezibonisa ubungqina bomgaqo, enye yazo ibonisa ngokucacileyo isoyikiso.
Omnye wabo uvula iqokobhe elibuyela umva kwikhompyuter eqhuba iVim okanye iNeoVim. Ukusuka apho, abahlaseli banokumilisela imiyalelo yokukhetha kwabo kumatshini ofunwayo.
"Le PoC ichaza indlela yohlaselo lokwenene apho iqokobhe eliphindayo lasungulwa xa umsebenzisi evula ifayile," ubhale watsho uRazmjou. «Ukufihla uhlaselo, ifayile iya kubhalwa kwangoko xa ivulwa. Kwakhona, i-PoC isebenzisa ukulandelelana kokuphepha ukufihla umgca wemodeli xa umxholo ushicilelwe ngekati. (ikati -v ityhila owona mxholo). «
Ukuphunyezwa komngcipheko wokuba semngciphekweni kufuna ukwenziwa kwemodeli esemgangathweni yokusebenza, njengakwisasazo seLinux ngokwakhona. Isiphene sifumaneka kwiVim ngaphambi kwenguqulo 8.1.1365 nakwiNeovim ngaphambi kwenguqulelo 0.3.6.
Le ngcebiso ivela kuVimba weeNgcaciso zeSizwe oMngcipheko weZiko leMigangatho kunye neTekhnoloji ibonisa ukuba ulwabiwo lweDebian kunye neFedora Linux luqalisile ukukhupha iinguqulelo ezizinzileyo.
Kukwabiwa, ingxaki isonjululwe ku RHEL, SUSE / openSUSE, Fedora, FreeBSD, Ubuntu, Arch Linux, kunye ne-ALT.
Umngcipheko uhlala ungachanekanga kwi-Debian (Kwimodeli kaDebian ikhubazekile ngokungagqibekanga, ke ukuba sesichengeni akubonakali kwimeko emiselweyo).
Inguqulelo yamva nje yeMacOS iyaqhubeka nokusebenzisa uhlobo olusemngciphekweni, nangona uhlaselo lusebenza kuphela xa abasebenzisi betshintshe useto olungagqibekanga olunemodeli yemodeli enikwe amandla.