Kwiintsuku ezimbalwa ezidlulileyo iindaba zakhutshwa ukuba kwafunyanwa inani lobuthathaka kwi swhkd (i-Simple Wayland HotKey Daemon) ebangelwa kukuphathwa ngendlela engalunganga kweefayile zexeshana, iinketho zomgca womyalelo kunye ne sokethi ze unix.
Inkqubo ibhalwe kwi-Rust kwaye iphatha i-hotkeys kwindawo esekelwe kwi-protocol ye-Wayland (i-analog yoqwalaselo oluhambelana nefayile yenkqubo ye-sxhkd esetyenziswa kwiindawo ezisekelwe kwi-X11). Iphakheji iquka inkqubo ye-swhks engafanelekanga eyenza izenzo ze-hotkeys kunye nenkqubo yangasemva ye-SWhkd eqhuba njengengcambu kwaye isebenzisana nezixhobo zokungenisa kwinqanaba le-API ye-uinput. Ukucwangcisa intsebenziswano phakathi kwe-SWhks kunye ne-SWhkd, i-Unix socket isetyenziswa.
Imithetho yePolkit ivumela nawuphi na umsebenzisi wasekhaya ukuba aqhube /usr/bin/swhkd inkqubo njengengcambu kwaye agqithise iparameters kuyo.
Ukudityaniswa kwephakheji yeRPM ithunyelwe nge-openSUSE Tumbleweed iqulathe imithetho yePolkit engaqhelekanga kwi ifayile yenkcazo ebifuna uphononongo liqela lokhuseleko le-SUSE.
Ngenxa yophononongo, imiba emininzi yokhuseleko ichongiwe. Imiba nganye ichazwe kule ngxelo ingezantsi.
Ku ubuthathaka obuchongiweyo, oku kulandelayo kukhankanyiwe:
I-CVE-2022-27815
Obu bungozi ivumela ukugcina inkqubo ye-PID kwifayile enegama eliqikelelwayo nakuluhlu olubhalekayo lwabanye abasebenzisi (/tmp/swhkd.pid), apho nawuphi na umsebenzisi angenza ifayile /tmp/swhkd.pid kwaye abeke i-pid yenkqubo esele ikhona kuyo, eya kwenza ukuba kungenzeki ukuqalisa swhkd.
Ngokungabikho kokhuseleko ekudaleni amakhonkco omfuziselo kwi/tmp, Ukuba sesichengeni kungasetyenziswa ukwenza okanye ukubhala ngaphezulu iifayile nakuwuphi na uvimba weefayili kwisixokelelwano (i-PID ibhaliwe kwifayile) okanye misela umxholo wayo nayiphi na ifayile kwindlela (swhkd ikhupha imixholo yonke yefayile yePID kwi stdout). Kufuneka kuqatshelwe ukuba kulungiso olukhutshiweyo, ifayile ye-PID ayizange ihanjiswe kwi-/run directory, kodwa kwi-/etc directory (/etc/swhkd/runtime/swhkd_{uid}.pid), apho ingeyiyo nokuba .
I-CVE-2022-27814
Obu bungozi ikuvumela ukuba uqhathe "-c" ukhetho lwelayini yomyalelo ukukhankanya ifayile yoqwalaselo ingamisela ubukho bayo nayiphi na ifayile kwindlela.
Njengakwimeko yobuthathaka bokuqala, ukulungisa ingxaki kuyadida: ukulungisa ingxaki kubilisa kwinto yokuba into eluncedo "yekati" yangaphandle ('Umyalelo::intsha("/umgqomo/ikati").arg(indlela) ngoku yaziswa ukufunda ifayile yoqwalaselo.output()').
I-CVE-2022-27819
Le ngxaki ikwanxulumene nokusetyenziswa kokhetho luka-"-c"., elayisha kwaye yahlula yonke ifayile yoqwalaselo ngaphandle kokujonga ubungakanani kunye nodidi lwefayile.
Umzekelo, ukubangela ukukhanyelwa kwenkonzo ngenxa yokuphelelwa yinkumbulo yasimahla kunye nokudala i-I/O elahlekileyo, ungakhankanya isixhobo sokubhloka ekuqaleni ("pkexec /usr/bin/swhkd -d -c /dev/sda ») okanye isixhobo soonobumba esikhupha uluhlu olungenasiphelo lwedatha.
Umba wasonjululwa ngokusetha kwakhona amalungelo ngaphambi kokuvula ifayile, kodwa isisombululo asiphelelanga njengoko kuphela i-ID yoMsebenzisi (UID) isetyenzisiwe, kodwa i-ID yeQela (GID) ihlala ifana.
I-CVE-2022-27818
Obu bungozi ikuvumela ukuba usebenzise ifayile /tmp/swhkd.sock ukwenza i Unix socket, edalwe kulawulo olubhalekayo lukawonke-wonke, olubangela imiba efanayo kubuthathaka bokuqala (nawuphi na umsebenzisi angenza /tmp/swhkd.sock kwaye avelise okanye athintele iziganeko zokucinezela isitshixo).
I-CVE-2022-27817
Kobu buthathaka, Iziganeko zegalelo zifunyenwe kuzo zonke izixhobo nakuzo zonke iiseshini, oko kukuthi, umsebenzisi kwenye i-Wayland okanye iseshoni ye-console inokuthintela iziganeko xa abanye abasebenzisi becinezela ama-hotkeys.
I-CVE-2022-27816
Inkqubo ye-swhks, njenge-swhkd, isebenzisa ifayile ye-PID /tmp/swhks.pid kwincwadi ebhalwayo esidlangalaleni /tmp. Umba uyafana nokuba semngciphekweni wokuqala, kodwa hayi njengengozi, kuba i-swhks iqhuba phantsi komsebenzisi ongelolungelo.
Okokugqibela, ukuba unomdla wokwazi okungakumbi ngayo, unokujonga kwi iinkcukacha kwikhonkco elilandelayo.