An gano wani rauni (CVE-2018-25032) a cikin ɗakin karatu na zlib, wanda ke haifar da ambaliya yayin ƙoƙarin damfara jerin haruffa na musamman a cikin bayanan masu shigowa. A cikin yanayin da yake yanzu, masu bincike sun nuna ikon haifar da tsari don ƙarewa ba daidai ba. Har yanzu ba a yi nazari kan ko matsalar na iya haifar da mummunan sakamako ba.
Lalacewar ya bayyana yana farawa daga sigar zlib 1.2.2.2 kuma yana shafar sakin zlib 1.2.11 na yanzu. Abin lura ne cewa an gabatar da facin don gyara raunin a cikin 2018, amma masu haɓakawa ba su kula da shi ba kuma ba su fitar da sakin gyara ba (an sabunta laburare na zlib a cikin 2017). Har ila yau, ba a haɗa gyaran ba a cikin fakitin da aka bayar ta hanyar rarrabawa. Kuna iya bin diddigin buga gyare-gyare ta hanyar rarrabawa akan waɗannan shafuka: Debian, RHEL, Fedora, SUSE, Ubuntu, Arch Linux, OpenBSD, FreeBSD, NetBSD. Matsalar ba ta shafi ɗakin karatu na zlib-ng ba.
Rashin lahani yana faruwa idan rafin shigarwar ya ƙunshi adadi mai yawa na ashana da za a cushe, wanda ake amfani da fakitin bisa ƙayyadaddun lambobin Huffman. Ƙarƙashin wasu yanayi, abin da ke cikin madaidaicin madaidaicin wanda aka sanya sakamakon da aka matsa a ciki zai iya mamaye ƙwaƙwalwar ajiyar da aka adana tebur mitar alama a cikinta. Sakamakon haka, bayanan da aka matsa ba daidai ba suna haifar da faɗuwa saboda rubuce-rubuce a waje da kan iyaka.
Za a iya amfani da raunin kawai ta amfani da dabarun matsawa bisa ƙayyadaddun lambobin Huffman. Ana zaɓi irin wannan dabarar lokacin da aka kunna zaɓi na Z_FIXED a sarari a cikin lambar (misali jerin da ke haifar da haɗari yayin amfani da zaɓi na Z_FIXED). Yin la'akari da lambar, za a iya zaɓar dabarun Z_FIXED ta atomatik idan mafi kyawun bishiyar da aka ƙididdige don bayanan suna da girman iri ɗaya.
Har yanzu ba a fayyace ba ko za a iya zaɓar yanayin yin amfani da raunin ta amfani da tsohuwar dabarar matsawa Z_DEFAULT_STRATEGY. Idan ba haka ba, to raunin zai iyakance ga wasu takamaiman tsarin da ke amfani da zaɓin Z_FIXED a sarari. Idan haka ne, to, lalacewa daga raunin da ya faru na iya zama mai mahimmanci, tun da ɗakin ɗakin karatu na zlib ya zama ma'auni na gaskiya kuma ana amfani dashi a yawancin shahararrun ayyuka, ciki har da Linux kernel, OpenSSH, OpenSSL, apache httpd, libpng, FFmpeg, rsync, dpkg. , rpm, Git, PostgreSQL, MySQL, da sauransu.
source: budenet.ru