ProHoster > Блог > labaran intanet > Rashin lahani a cikin LibKSBA yana haifar da aiwatar da code yayin sarrafa S/MIME a cikin GnuPG

Rashin lahani a cikin LibKSBA yana haifar da aiwatar da code yayin sarrafa S/MIME a cikin GnuPG

A cikin ɗakin karatu na LibKSBA, wanda aikin GnuPG ya haɓaka da kuma samar da ayyuka don aiki tare da takaddun shaida na X.509, an gano wani lahani mai mahimmanci (CVE-2022-3515), wanda ke haifar da zubar da ƙima da rubuta bayanan sabani fiye da abin da aka keɓance lokacin da ake rarrabawa. Tsarin ASN.1 da aka yi amfani da su a cikin S/MIME, X.509 da CMS. Matsalar tana daɗa daɗaɗa gaskiyar cewa ana amfani da ɗakin karatu na Libksba a cikin kunshin GnuPG kuma rashin lahani na iya haifar da aiwatar da lambar nesa ta maharan lokacin da GnuPG (gpgsm) ke aiwatar da ɓoyayyen ko sanya hannu daga fayiloli ko saƙonnin imel ta amfani da S/MIME. A cikin mafi sauƙi, don kai hari ga wanda aka azabtar ta amfani da abokin ciniki na imel wanda ke goyan bayan GnuPG da S/MIME, ya isa ya aika wasiƙar ƙira ta musamman.

Hakanan ana iya amfani da raunin don kai hari ga sabar dirmngr waɗanda ke zazzagewa da rarraba lissafin soke takaddun shaida (CRLs) da kuma tabbatar da takaddun shaida da aka yi amfani da su a cikin TLS. Ana iya kai hari kan dirmngr daga sabar gidan yanar gizo wanda maharin ke sarrafawa, ta hanyar dawo da CRLs ko takaddun shaida na musamman. An lura cewa har yanzu ba a gano abubuwan da ake amfani da su a bainar jama'a don gpgsm da dirmngr ba, amma raunin ya kasance na yau da kullun kuma babu abin da ke hana ƙwararrun maharan shirya cin zarafi da kansu.

An daidaita raunin a cikin sakin Libksba 1.6.2 kuma a cikin GnuPG 2.3.8 binary gini. A kan rarraba Linux, ana ba da ɗakin karatu na Libksba a matsayin abin dogaro daban, kuma akan gina Windows an gina shi cikin babban kunshin shigarwa tare da GnuPG. Bayan sabuntawa, tuna don sake kunna tsarin baya tare da umarnin "gpgconf -kill duk". Don bincika kasancewar matsala a cikin fitarwa na umarnin "gpgconf -show-versions", zaku iya kimanta layin "KSBA ....", wanda dole ne ya nuna sigar aƙalla 1.6.2.

Har yanzu ba a fitar da sabuntawa don rarrabawa ba, amma kuna iya bin diddigin samuwarsu akan shafukan: Debian, Ubuntu, Gentoo, RHEL, SUSE, Arch, FreeBSD. Hakanan raunin yana nan a cikin fakitin MSI da AppImage tare da GnuPG VS-Desktop kuma a cikin Gpg4win.

source: budenet.ru

Add a comment