Qualys ya gano haɗari na uku mai haɗari a wannan shekara (CVE-2022-3328) a cikin mai amfani da snap-confine, wanda ya zo tare da Tushen Tushen SUID kuma ana kiran shi ta hanyar snapd don ƙirƙirar yanayin aiwatarwa don aikace-aikacen da aka rarraba a cikin fakiti masu zaman kansu. a cikin tsarin karye. Rashin lahani yana ba wa mai amfani mara gata na gida damar cimma aiwatar da lambar a matsayin tushen a cikin tsohowar Ubuntu. An daidaita batun a cikin sakin 2.57.6 snapd. An fitar da sabuntawar fakitin don duk rassan Ubuntu masu tallafi.
Abin sha'awa shine, an gabatar da raunin da ake tambaya yayin aiwatar da gyara irin wannan rauni na Fabrairu a cikin kulle-kulle. Masu bincike sun sami damar shirya yin amfani da aiki wanda ke ba da damar tushen zuwa Ubuntu Server 22.04, wanda, ban da raunin rauni a cikin kulle-kulle, kuma ya haɗa da lahani biyu a cikin tsarin multipathd (CVE-2022-41974, CVE-2022-41973) , hade da ketare rajistan hukuma lokacin watsa umarni masu gata da aiki mara aminci tare da hanyoyin haɗin gwiwa.
Rashin lahani a cikin tsare-tsare yana faruwa ne ta hanyar yanayin tsere a cikin aikin must_mkdir_and_open_with_perms(), wanda aka ƙara don karewa daga maye gurbin /tmp/snap.$SNAP_NAME directory tare da hanyar haɗi ta alama bayan duba mai shi, amma kafin kiran tsarin dutsen. kira don ɗaure kundayen adireshi a ciki don kunshin a cikin tsarin karye. Ƙarin kariyar ita ce sake suna /tmp/snap.$SNAP_NAME directory zuwa wani kundin adireshi a /tmp tare da sunan bazuwar idan akwai kuma ba mallakar tushen ba.
Lokacin yin amfani da /tmp/snap.$SNAP_NAME directory rename aiki, masu binciken sun yi amfani da gaskiyar cewa snap-confine shima yana ƙirƙirar directory /tmp/snap.rootfs_XXXXXX don tushen abubuwan da ke cikin fakitin karye. An zaɓi ɓangaren "XXXXXX" na sunan ba da gangan ta mkdtemp(), amma kunshin mai suna "rootfs_XXXXXX" na iya inganta shi a cikin aikin sc_instance_name_validate (watau ra'ayin shine cewa $SNAP_NAME za a saita zuwa "rootfs_XXXXXX" sannan a sake suna aiki. zai haifar da sake rubutawa /tmp/snap.rootfs_XXXXXX directory tare da tushen karye).
Domin samun nasarar amfani da /tmp/snap.rootfs_XXXXXX tare da sake suna /tmp/snap.$SNAP_NAME, an ƙaddamar da misalai biyu na snap-confine. Da zarar misalin farko ya ƙirƙiri /tmp/snap.rootfs_XXXXXX, tsarin zai toshe kuma misali na biyu zai fara da sunan kunshin rootfs_XXXXXX, yana haifar da shugabanci na wucin gadi /tmp/snap na biyu.$SNAP_NAME ya zama tushen directory /tmp/snap .tushen_XXXXXX na farko. Nan da nan bayan an gama sunan, misali na biyu ya fado, kuma /tmp/snap.rootfs_XXXXXX an maye gurbinsu da magudin yanayin launin fata, kamar lokacin yin amfani da raunin Fabrairu. Bayan maye gurbin, an cire makullin kisa daga misali na farko kuma maharan sun sami cikakken iko a kan tushen tushen tarko.
Mataki na ƙarshe shine ƙirƙirar symlink /tmp/snap.rootfs_XXXXXX/tmp, wanda aikin sc_bootstrap_mount_namespace() yayi amfani dashi don ɗaure ainihin littafin adireshi / tmp zuwa kowane kundin adireshi a cikin tsarin fayil, tun lokacin kiran dutsen () yana bin symlinks kafin hawa. Irin wannan hawan yana toshe ta hanyar ƙuntatawa na AppArmor, amma don ƙetare wannan toshe, cin gajiyar ya yi amfani da raunin taimako guda biyu a cikin multipathd.
source: budenet.ru