Zimbalwa izinsuku ezedlule kwaqhamuka izindaba zokuthi kunengozi ebucayi etholakele en umphathi wokuthembela we Umqambi (CVE-2021-29472) ekuvumela ukuthi wenze imiyalo engqubuzanayo ohlelweni lapho ucubungula iphakheji ngenani le-URL elenziwe ngokukhethekile elinquma inkomba yokulanda ikhodi yomthombo.
Inkinga izibonakalisa ezingxenyeni zeGitDriver, SvnDriver neHgDriver isetshenziswe nezinhlelo zokulawula imithombo yeGit, Subversion, neMercurial. Ukuba sengozini kulungiswe kuzinguqulo ze-Composer 1.10.22 naku-2.0.13.
Ikakhulukazi, kuthinteka kakhulu iphakheji lomqambi lomqambi we-Packagist, eliqukethe amaphakheji wonjiniyela we-306.000 PHP futhi linikezela ngaphezu kokulanda okungu-1.400 billion ngenyanga.
Ku-ecosystem ye-PHP, Umqambi iyithuluzi eliyinhloko lokuphatha nokufaka ukuncika kwesoftware. Amaqembu entuthuko emhlabeni wonke ayisebenzisela ukwenza lula inqubo yokuthuthukisa futhi aqinisekise ukuthi izinhlelo zokusebenza zisebenza ngokuzikhandla kuzo zonke izindawo nezinguqulo.
Ukuhlolwa kukhombisile ukuthi uma ngabe kunolwazi ngale nkinga, abahlaseli bangaphatha ingqalasizinda yePackagist futhi babambe iziqinisekiso zabanakekeli noma baqondise kabusha ukulanda kwamaphakeji kuseva yomuntu wesithathu, behlela ukulethwa kokuhluka kwamaphakheji nezinguquko. abasebenzisi abanonya bafaka indawo yangemuva ngesikhathi sokufakwa kokuncika.
Ingozi yokuqeda abasebenzisi inqunyelwe ngenxa yokuthi okuqukethwe kwe- composer.json kuvame ukuchazwa ngumsebenzisi futhi izixhumanisi zomthombo zidluliswa lapho kufinyelelwa ezinqolobaneni ezivela eceleni, okuvame ukuthembeka. Ukushaywa okukhulu kwehlele ekhosombeni lePackagist.org nesevisi yangasese yePackagist, lokho kubiza Umqambi ngokudluliswa kwedatha etholwe kubasebenzisi. Abahlaseli bangasebenzisa ikhodi yabo kumaseva we-Packagist ngokulahla iphakethe elenzelwe ngokukhethekile.
Ithimba lePackagist lixazulule ukuba sengozini ngaphakathi kwamahora we-12 wesaziso sengozini. Abaphenyi bazisa ngasese abathuthukisi bePackagist ngo-Ephreli 22, futhi inkinga yalungiswa ngalo lolo suku. Ukuvuselelwa komqambi womphakathi okulungiselelwe ukuba sengozini kukhishwe ngo-Ephreli 27, kanti imininingwane ivezwe ngo-Ephreli 28. Ukuhlolwa kwamalogi kumaseva kaPackagist akuvezanga noma yimuphi umsebenzi osolisayo ohlotshaniswa nobungozi.
Amaphutha omjovo wokuphikisana yisigaba samaphutha esithakazelisa ngempela esivame ukunganakwa ngesikhathi sokubuyekezwa kwekhodi futhi singanakwa ngokuphelele ekuxhumaneni kwebhokisi elimnyama.
Inkinga idalwa yiphutha kukhodi yokuqinisekisa ye-URL kufayela le-root composer.json nasezixhumanisweni zokulanda umthombo. Isiphazamisi besilokhu sikhona ngekhodi kusukela ngoNovemba 2011. I-Packagist isebenzisa izingqimba ezikhethekile ukuphatha ukulandwa kwamakhodi ngaphandle kokuboshwa kohlelo oluthile lokulawulwa komthombo, olwenziwa ngokubiza u- "fromShellCommandline" ngezimpikiswano zomugqa womyalo.
Inhliziyo yenkinga ukuthi indlela ye-ProcessExecutor evunyelwe ukucacisa noma yimiphi imingcele yezingcingo ezengeziwe ku-URL. Ukuphunyuka okunjalo kwakungekho kubashayeli beGitDriver.php, SvnDriver.php neHgDriver.php. Ukuhlaselwa kweGitDriver.php kuphazanyiswe iqiniso lokuthi umyalo we- "git ls-remote" awusekelanga ukucacisa izimpikiswano ezingeziwe ngemuva kwendlela.
Ukuhlaselwa kweHgDriver.php kwenzeke ngokudlulisa ipharamitha "–config" kusetshenziswa i- "hq", evumela ukuhlela ukwenziwa kwanoma imuphi umyalo ngokukhohlisa ukumiswa kwe- "alias.identify".
Ngokuthumela iphakheji yokuhlola ene-URL efanayo nePackagist, abacwaningi baqinisekisa ukuthi ngemuva kokushicilelwa, iseva yabo ithole isicelo se-HTTP kusuka kwelinye lamaseva we-Packagist ku-AWS aqukethe uhlu lwamafayela enkombeni yamanje.
Kumele kuqashelwe ukuthi abalondolozi abakhombanga zimpawu zokuxhashazwa kwangaphambilini kwalokhu kuba sengozini esidlangalaleni kwe-packagist.
Ekugcineni, uma unentshisekelo yokwazi kabanzi ngakho, ungaxhumana nemininingwane Kulesi sixhumanisi esilandelayo.