ProHoster > Блог > labaran intanet > sudo tushen raunin da ya shafi Linux Mint da Elementary OS

sudo tushen raunin da ya shafi Linux Mint da Elementary OS

A cikin mai amfani sudo, amfani da shi don tsara aiwatar da umarni a madadin sauran masu amfani, gano rauni (CVE-2019-18634), wanda ke ba ku damar haɓaka gata a cikin tsarin zuwa tushen mai amfani. Matsalar tana bayyana kawai tun lokacin da aka saki sudo 1.7.1 lokacin amfani da zaɓin "pwfeedback" a cikin fayil / sauransu / sudoers, wanda aka kashe ta tsohuwa amma an kunna shi akan wasu rabawa kamar Linux Mint da Elementary OS. Matsalolin da aka gyara a cikin fitarwa sudo 1.8.31, wanda aka buga awanni kadan da suka gabata. Rashin lahani ya kasance ba a daidaita shi a cikin kayan rarrabawa.

Zaɓin "pwfeedback" yana ba da damar nunin harafin "*" bayan kowane hali da aka shigar yayin shigar da kalmar sirri. Saboda kurakurai A cikin aiwatar da aikin getln(), wanda aka ayyana a cikin tgetpass.c fayil, babban igiyar kalmar sirri da ta wuce ta daidaitaccen rafi (stdin) a ƙarƙashin wasu sharuɗɗa maiyuwa ba zai dace da ma'ajin da aka keɓe ba kuma ya sake rubuta wasu bayanai akan tari. Ambaliyar ruwa yana faruwa lokacin gudanar da lambar sudo azaman tushen.

Ma'anar matsalar ita ce lokacin amfani da sifa ta musamman ^U (sharar da layi) yayin shigarwa kuma idan aikin rubutu ya gaza, lambar da ke da alhakin share abubuwan da aka fitar "*" tana sake saita bayanan akan girman buffer da ke akwai, amma ba mayar da mai nuni zuwa matsayin ƙimar farko na halin yanzu a cikin buffer. Wani abu da ke ba da gudummawa ga cin zarafi shine rashin kashe atomatik na yanayin "pwfeedback" lokacin da bayanai suka zo ba daga tashar tashar ba, amma ta hanyar shigar da bayanai (wannan aibi yana ba da damar ƙirƙirar yanayi don kuskuren rikodi ya faru, alal misali, akan tsarin tare da tsarin da aka haɗa). udirectional tashoshi marasa suna kuskure yana faruwa lokacin ƙoƙarin rubutawa zuwa ƙarshen tashar karantawa).

Tun da maharin yana da cikakken iko akan sake rubuta bayanan akan tarin, ba shi da wahala a ƙirƙiri wani amfani wanda zai ba shi damar haɓaka gatansa zuwa tushen. Kowane mai amfani na iya yin amfani da matsalar, ba tare da la'akari da izinin sudo ko takamaiman saitunan mai amfani a cikin sudoers ba. Don toshe matsalar, ya kamata ka tabbata cewa babu saitin "pwfeedback" a / sauransu/sudoers kuma, idan ya cancanta, kashe shi ("Defaults! pwfeedback"). Don bincika idan akwai matsala, kuna iya gudanar da lambar:

$ perl -e 'print(("A" x 100 . "\x{00}") x 50)' | sudo-S id
Kalmar wucewa: Laifin rarrabawa

source: budenet.ru

Add a comment