Zimbalwa ezedlule izinsuku badedela izindaba walokho okwahlonzwa ukuba sengozini ku-Ghostscript (CVE-2020-15900) yini engakwazi imbangela ukuguqulwa kwefayela nokwenza umyalo ngokungafanele lapho uvula imibhalo efomethwe ngokukhethekile yePostScript.
Kulabo abangajwayelene neGhostscript kufanele bakwazi lokho le yinjini enikezela ngokuqukethwe kwePostScript nePDF futhi ijwayele ukusetshenziselwa ukuguqula imibhalo ye-PDF neyePostcript ibe yizithombe zokubuka kuqala, isithonjana nezinjongo zokuphrinta.
Ibuye isetshenziselwe ukukhiqizwa kabusha kwemibhalo esezingeni eliphakeme kubabukeli abaningi be-PDF, kufaka phakathi ababukeli abadumile ku-Android, futhi inikwe ilayisense yizinkampani ezinkulu ezinjengeGoogle ngokunikela efwini.
Mayelana nokuba sengozini ku-Ghostscript
I-bug ikhonjwe ekusetshenzisweni kwe-opharetha yocwaningo I-PostScript engajwayelekile embhalweni ovumela ukudala ukugcwala kohlobo uint32_t lapho kubalwa usayizi, bhala kabusha izindawo zememori ngaphandle kwe-buffer unikezwe futhi uthole ukufinyelela kwamafayela kuhlelo lwefayela, olungasetshenziselwa ukwenza ukuhlasela ukwenza ikhodi yokuphikisana nohlelo (ngokwesibonelo, ngokungeza imiyalo ku- ~ / .bashrc noma ~ / .profile).
Amazwibela atholwe yi-AFL acindezele intambo engenalutho esitaki: kubakaki abangenalutho (), bakopishe ireferensi yalokhu, okuholele esitaki ngezintambo ezimbili ezingenalutho () () base bebheka emuva. Ngamanye amagama, ibifuna intambo engenalutho ngentambo engenalutho, eqala ekugcineni.
Ngeshwa baphuthelwe yicala lomngcele lapho kuseshwa khona intambo engenalutho. Lapho ufuna intambo engenalutho, lokhu kuchazwa njengempumelelo esheshayo: akukho okumele sikufune, ngakho-ke sifinyelela ekugcineni. Kodwa-ke, umphumela kufanele uhlukaniswe ngamanani we-pre-match, match, kanye ne-post-match. Ngeshwa, ikhodi yacabanga ukuthi sibuke okungenani kanye futhi sabala ubude bomphumela wokulingana ngemuva kokukhipha owodwa kusuka ku-zero, okuholele ekubuyiselweni kunani eliphakeme: 4,294,967,295.
Leli phutha kuyisici senkohlakalo yenkumbulo lapho kukhona khona ukwehluleka futhi kwenzeka ngaso sonke isikhathi. Akunasidingo sokubhekana nabagcini bezitaki, njll., Funda nje futhi ubhale noma yini oyifunayo engxenyeni enkulu yememori. Lokhu kwenze kwalula kakhulu kumuntu ongeyena umbhali onolwazi ngokuxhaphaza ukuthi akusebenzise.
Ngenxa yalokhu kuhamba phansi, le ntambo yayingakaze yabiwa futhi ayizange ithathe isikhala sangempela, kepha ibinobude obudlulele kwenye imemori. Ukuzama ukufunda noma ukubhala leyo nkumbulo kumakheli angahleliwe kuzophuma emikhawulweni yememori, yingakho onke amaphutha angaqondakali. Kodwa-ke, singagcina ireferensi ukuvumela ukusetshenziswa kwayo kusetshenziswe le snippet yekhodi:
Kubalulekile ukuthi unake lokho ukuba sengozini ku-Ghostscript kubucayi kakhulunjengoba leli phakheji lisetshenziswa ezinhlelweni eziningi ezithandwayo zePostScript nezePDF. Isibonelo, i-Ghostscript ibizwa lapho idala izithonjana kwideskithophu, lapho ikhomba idatha ngemuva, nalapho kuguqulwa izithombe.
Ngokuhlaselwa okuphumelelayo, ezimweni eziningi, kwanele ukumane ulande ifayili lokuxhaphaza noma uphequlule umkhombandlela nalo eNautilus.
Ukuba sengozini ku-Ghostscript nakho kungasetshenziswa ngokusebenzisa abashayeli bezithombe ngokususelwa kumaphakheji we-ImageMagick ne-GraphicsMagick, kudlulisa ifayili le-JPEG noma le-PNG, eliqukethe ikhodi yePostScript esikhundleni sesithombe (leli fayela lizocutshungulwa ku-Ghostscript, ngoba uhlobo lwe-MIME lwaziwa ngokuqukethwe, futhi ngaphandle kokuya ngesandiso).
Isixazululo
Inkinga ithinta izinhlobo 9.50 kuye ku-9.52 (Isiphazamisi besilokhu sikhona kusukela kwinguqulo 9.28rc1, kepha ngokusho kwabaphenyi abakhombe ukuba sengozini, kwavela kusukela kwinguqulo 9.50).
Kepha ukulungiswa bekuvele kuhlongoziwe kunguqulo 9.52.1 ngokungeziwe kulokho futhiizibuyekezo zishicilelwe yamaphakeji wokuhlanganisa wokusatshalaliswa kweLinux efana neDebian, Ubuntu ne-SUSE.
Ngenkathi amaphakheji ku-RHEL engathinteki.
Umthombo: https://insomniasec.com