An gano jerin lahani a cikin swhkd (Simple Wayland HotKey Daemon) wanda ya haifar da aikin da ba daidai ba tare da fayilolin wucin gadi, sigogin layin umarni da soket na Unix. An rubuta shirin a cikin Rust kuma yana sarrafa maɓallan hotkey a cikin mahalli dangane da ka'idar Wayland (analog ɗin daidaita-fayil-mai jituwa na tsarin sxhkd da aka yi amfani da shi a cikin tushen tushen X11).
Kunshin ya ƙunshi tsarin swhks mara gata wanda ke aiwatar da ayyukan hotkey, da tsarin swhkd na baya wanda ke gudana azaman tushen kuma yana hulɗa tare da na'urorin shigarwa a matakin API uinput. Ana amfani da soket na Unix don tsara hulɗa tsakanin swhks da swhkd. Yin amfani da ƙa'idodin Polkit, kowane mai amfani na gida zai iya gudanar da tsarin /usr/bin/swkd azaman tushen kuma ya ba da sigogi na sabani zuwa gare shi.
Gane rashin lahani:
- CVE-2022-27815 - Ajiye tsarin PID zuwa fayil tare da sunan da ake iya faɗi kuma a cikin kundin adireshi wanda wasu masu amfani ke rubutawa (/tmp/swhkd.pid). Kowane mai amfani zai iya ƙirƙirar fayil /tmp/swhkd.pid kuma ya sanya pid na tsarin da ke akwai a ciki, wanda zai sa swhkd ya kasa farawa. Idan babu wata kariya daga ƙirƙirar hanyoyin haɗin yanar gizo a /tmp, ana iya amfani da raunin don ƙirƙira ko sake rubuta fayiloli a cikin kowane tsarin tsarin (an rubuta PID zuwa fayil ɗin) ko tantance abubuwan da ke cikin kowane fayil akan tsarin (swhkd yana buga fayil ɗin. duk abubuwan da ke cikin fayil ɗin PID zuwa stdout). Yana da kyau a lura cewa a cikin gyaran da aka saki ba a matsar da fayil ɗin PID zuwa ga / gudanar da shugabanci ba, amma zuwa /etc directory (/etc/swhkd/runtime/swhkd_{uid}.pid), inda shi ma ba ya cikinsa.
- CVE-2022-27814 - Ta hanyar yin amfani da zaɓin layin umarni "-c" da aka yi amfani da shi don ƙayyade fayil ɗin sanyi, yana yiwuwa a ƙayyade kasancewar kowane fayil akan tsarin. Alal misali, don bincika / tushen / .somefile za ka iya gudu "pkexec /usr/bin/swhkd -d -c /root/.somefile" kuma idan fayil ɗin ya ɓace, kuskuren "/ tushen / .somefile ba ya wanzu. ” za a nuna. Kamar yadda yake a yanayin rashin lafiyar farko, gyara matsalar yana da daure kai - gyara matsalar ta gangaro zuwa gaskiyar cewa kayan amfani na waje "cat" ('Umard :: sabon("/bin/cat"))) ).arg (hanya) yanzu an ƙaddamar da shi don karanta fayil ɗin sanyi. fitarwa()').
- CVE-2022-27819 - Har ila yau, batun yana da alaƙa da amfani da zaɓi na "-c", wanda ya sa za a ɗora duk fayil ɗin sanyi da kuma rarraba ba tare da duba girman da nau'in fayil ɗin ba. Misali, don haifar da ƙin sabis ta hanyar ƙarewar ƙwaƙwalwar ajiya kyauta da ƙirƙirar I/O mai banƙyama, zaku iya saka na'urar toshe a farawa ("pkexec / usr/bin/swhkd -d -c /dev/sda") ko na'urar halayyar da ke samar da bayanan da ba su da iyaka . An warware matsalar ta hanyar sake saita gata kafin buɗe fayil ɗin, amma gyara bai cika ba, tunda ID ɗin mai amfani (UID) kawai aka sake saitawa, amma ID ɗin rukuni (GID) ya kasance iri ɗaya.
- CVE-2022-27818 - An ƙirƙiri soket ɗin Unix ta amfani da /tmp/swhkd.sock fayil da aka ƙirƙira a cikin kundin adireshi, wanda ke haifar da batutuwa iri ɗaya azaman raunin farko (kowane mai amfani zai iya ƙirƙirar /tmp/swhkd.sock da samarwa ko tsangwama). abubuwan latsa maɓalli).
- CVE-2022-27817 - Ana karɓar abubuwan shigarwa daga duk na'urori kuma a cikin duk zaman, i.e. mai amfani daga wani zaman Wayland ko na na'ura wasan bidiyo na iya satar abubuwan da suka faru lokacin da wasu masu amfani suka danna maɓallan zafi.
- CVE-2022-27816 Tsarin swhks, kamar swhkd, yana amfani da fayil ɗin PID /tmp/swhks.pid a cikin kundin adireshi/tmp da aka rubuta. Matsalar tana kama da rashin lahani na farko, amma ba kamar haɗari bane saboda swhks yana gudana ƙarƙashin mai amfani mara amfani.
source: budenet.ru