Zimbalwa ezidlulileyo Iintsuku bazikhupha iindaba kwinto echongiweyo umngcipheko kwiGhostscript (CVE-2020-15900) yintoni enokuthi yenza ukuguqulwa kwefayile kunye nokwenza ngokungalunganga komyalelo xa uvula iifomathi zePostScript ezifomathiweyo.
Kwabo bangaqhelani neGhostscript kufuneka bayazi loo nto Le yinjini yokunikezela ngePostcript kunye nomxholo wePDF Kwaye ihlala isetyenziselwa ukuguqula amaxwebhu e-PDF kunye ne-Postcript kwimifanekiso yokujonga kuqala, i-thumbnail kunye neenjongo zokuprinta.
Isetyenziselwa ukwenziwa komgangatho opheleleyo woxwebhu kubabukeli abaninzi bePDF, kubandakanya ababukeli abadumileyo kwi-Android, kwaye inelayisensi ziinkampani ezininzi ezinje ngeGoogle zokunikezela kwilifu.
Malunga nokuba semngciphekweni kwiGhostscript
I-bug ichongiwe kusetyenziso lomqhubi wophando I-PostScript engaqhelekanga kuxwebhu oluvumela ukubangela ukugcwala kohlobo uint32_t xa ubala ubungakanani, bhala ngaphezulu kweendawo zememori ngaphandle kwesikhuseli unikezelwe kwaye ufumane ukufikelela kwiifayile ezikwifayile yefayile, enokusetyenziselwa ukwenza uhlaselo lokwenza ikhowudi yokuchasana kwinkqubo (umzekelo, ngokongeza imiyalelo kwi ~ / .bashrc okanye ~ / .profile).
I-snippet efunyenwe yi-AFL ityhale umtya ongenanto kwisitaki: iibakaki ezingenanto (), zikopa ireferensi koku, zikhokelela kwisitaki esineentambo ezimbini ezingenanto () () emva koko zabuyela umva ekubhekeni kwakhona. Ngamanye amagama, ibikhangela umtya ongenanto kumtya ongenanto, ukuqala esiphelweni.
Ngelishwa baphose ityala lomda apho kukhangelwa umtya ongenanto. Xa ukhangela umtya ongenanto, oku kuchazwa njengempumelelo kwangoko: akukho nto sinokuyikhangela, ke sitsibe ngqo esiphelweni. Nangona kunjalo, iziphumo kufuneka zahlulwe zibe ngumdlalo wangaphambi komdlalo, umdlalo kunye namaxabiso omdlalo wasemva komdlalo. Ngelishwa, ikhowudi yacinga ukuba sijonge ubuncinci kube kanye kwaye sabala ubude beziphumo zomdlalo ongalunganga ngokuthabatha enye ukusuka ku-zero, kukhokelela ekubuyiselweni kwelona xabiso liphezulu: 4,294,967,295.
Impazamo sisiphene senkohliso kwimemori apho kunokwenzeka ukusilela kwaye kwenzeka ngalo lonke ixesha. Akukho sidingo sokujongana nokugcinwa koonogada njl.njl, funda kwaye ubhale nantoni na oyifunayo kwinxalenye enkulu yememori. Oku kwenza ukuba kube lula kumntu ongeyena umbhali onamava ukuxhaphaza.
Ngenxa yoku kungaphantsi, lo mtya awuzange wabelwe kwaye awuthathanga ndawo yokwenyani, kodwa inobude obuye bufikelela kwenye inkumbulo. Ukuzama ukufunda okanye ukubhala imemori kwiidilesi ezingacwangciswanga kuya kuphuma kwimemori, kungoko konke ukusilela okungafunekiyo. Nangona kunjalo, sinokugcina ireferensi ukuvumela ukusetyenziswa kwayo kusetyenziswa le khowudi snippet:
Kubalulekile ukuba uyithathele ingqalelo loo nto Ukuba semngciphekweni kwiGhostscript kubi kakhulunjengoko le phakheji isetyenziswa kuninzi lwezicelo ezithandwayo zePostScript kunye nePDF. Umzekelo, iGhostscript ibizwa xa kusenziwa iithonjana kwidesktop, xa isalathisa idatha ngasemva, naxa uguqula imifanekiso.
Uhlaselo oluyimpumelelo, kwiimeko ezininzi, lwanele ukukhuphela kwifayile yokuxhaphaza okanye ukukhangela umkhombandlela kunye nawo eNautilus.
Ukuba semngciphekweni kwiGhostscript kunokuxhashazwa ngabaqhubi bemifanekiso ngokusekwe kwiiphakheji zeMifanekisoMagick kunye neGraphicsMagick, ukuhambisa ifayile yeJPEG okanye yePNG, equlathe ikhowudi yePostScript endaweni yomfanekiso (le fayile iyakwenziwa kwiGhostscript, kuba uhlobo lweMIME lwamkelwa ngumxholo, kwaye ngaphandle kokuxhomekeka kulwandiso).
Solution
Umcimbi uchaphazela iinguqulelo ezingama-9.50 ukuya kwele-9.52 (Ibug ibikhona ukusukela kwinguqulelo 9.28rc1, kodwa ngokutsho kwabaphandi abachonge ubungozi, yavela ukusukela kwinguqulelo 9.50).
Kodwa ukulungiswa kwakusele kucetyisiwe kuhlobo 9.52.1 ukongeza kuloo kunyeuhlaziyo lupapashiwe Iiphakheji zepatch zolwabiwo lweLinux ezinje ngeDebian, Ubuntu kunye ne-SUSE.
Ngelixa iipakeji kwiRHEL zingachaphazeleki.
Umthombo: https://insomniasec.com