ProHoster > Блог > labaran intanet > Rashin lahani a cikin Linux kernel, Glibc, GStreamer, Ghostscript, BIND da CUPS

Rashin lahani a cikin Linux kernel, Glibc, GStreamer, Ghostscript, BIND da CUPS

An gano raunin da yawa kwanan nan:

  • CVE-2023-39191 rauni ne a cikin tsarin eBPF wanda ke bawa mai amfani da gida damar haɓaka gatansu da aiwatar da lamba a matakin kernel na Linux. Rashin lafiyar yana faruwa ta hanyar tabbatar da kuskuren shirye-shiryen eBPF da mai amfani ya gabatar don aiwatarwa. Don kai hari, mai amfani dole ne ya iya loda shirin nasa na BPF (idan an saita siginar kernel.unprivileged_bpf_disabled zuwa 0, misali, kamar a cikin Ubuntu 20.04). An watsa bayanai game da raunin zuwa ga masu haɓaka kernel a watan Disamba na bara, kuma an gabatar da gyara cikin nutsuwa a cikin Janairu.
  • CVE-2023-42753 Batun tare da jigogi masu tsararru a cikin aiwatar da ipset a cikin tsarin kernel netfilter, wanda za'a iya amfani da shi don haɓaka / rage masifu da ƙirƙirar yanayi don rubutu ko karantawa zuwa wurin ƙwaƙwalwar ajiya a waje da abin da aka keɓe. Don bincika kasancewar rashin lahani, an shirya samfurin yin amfani da zai haifar da ƙarewar da ba ta dace ba (ba za a iya cire yanayin amfani mai haɗari ba). An haɗa gyara a cikin sakin kwaya 5.4.257, 6.5.3, 6.4.16, 6.1.53, 5.10.195, 5.15.132.
  • CVE-2023-39192, CVE-2023-39193, CVE-2023-39193 - lahani da yawa a cikin kernel Linux wanda ke haifar da zubar da abun ciki na ƙwaƙwalwar kernel saboda ikon karantawa daga wuraren da ke waje da keɓaɓɓen buffer a cikin match_flags da u32_match_it. na tsarin Netfilter, da kuma a cikin lambar sarrafa tacewa ta jiha. An kayyade raunin a watan Agusta (1, 2) da Yuni.
  • CVE-2023-42755 rauni ne wanda ke ba da damar mai amfani na gida mara gata don haifar da haɗarin kernel saboda kuskure lokacin aiki tare da masu nuni a cikin mai rarraba zirga-zirgar rsvp. Matsalar tana bayyana a cikin kernels LTS 6.1, 5.15, 5.10, 5.4, 4.19 da 4.14. An shirya samfurin amfani. Har yanzu ba a karɓi gyaran ba a cikin kwaya kuma yana samuwa azaman faci.
  • CVE-2023-42756 yanayin tsere ne a cikin tsarin kernel na NetFilter wanda za'a iya amfani dashi don haifar da mai amfani na gida don haifar da yanayin tsoro. Akwai samfurin amfani da ke aiki aƙalla a cikin kernels 6.5.rc7, 6.1 da 5.10. Har yanzu ba a karɓi gyaran ba a cikin kwaya kuma yana samuwa azaman faci.
  • CVE-2023-4527 Tari mai ambaliya a cikin ɗakin karatu na Glibc yana faruwa a cikin aikin getaddrinfo lokacin sarrafa martanin DNS wanda ya fi girma 2048 bytes. Lalacewar na iya haifar da zubewar bayanai ko faduwa. Rashin lahani yana bayyana ne kawai a cikin nau'ikan Glibc sama da 2.36 lokacin amfani da zaɓin "no-aaaa" a /etc/resolv.conf.
  • CVE-2023-40474, CVE-2023-40475 suna da rauni a cikin tsarin multimedia na GStreamer wanda ya haifar da ambaliya a cikin masu sarrafa fayil ɗin bidiyo na MXF. Lalacewar na iya haifar da aiwatar da lambar maharin lokacin sarrafa fayilolin MXF na musamman da aka ƙera a cikin aikace-aikacen da ke amfani da GStreamer. An gyara matsalar a cikin kunshin gst-plugins-bad 1.22.6.
  • CVE-2023-40476 - Maɓallin buffer a cikin H.265 na'ura mai sarrafa bidiyo da aka bayar a GStreamer, wanda ke ba da damar yin amfani da lambar lokacin sarrafa bidiyo na musamman. An daidaita raunin a cikin gst-plugins-bad 1.22.6 kunshin.
  • Nazari - nazarin cin gajiyar da ke amfani da raunin CVE-2023-36664 a cikin fakitin Ghostscript don aiwatar da lambar sa lokacin buɗe takaddun PostScript na musamman. Matsalar tana faruwa ne ta hanyar sarrafa sunayen fayilolin da ba daidai ba wanda ya fara da harafin "|". ko prefix% bututu%. An daidaita raunin a cikin Ghostscript 10.01.2 saki.
  • CVE-2023-3341, CVE-2023-4236 - raunin da ke cikin uwar garken BIND 9 DNS wanda ke haifar da rushewar tsarin mai suna lokacin sarrafa saƙon sarrafawa na musamman (hanzarin tashar tashar TCP wanda aka sarrafa mai suna ya wadatar (buɗe kawai). ta hanyar tsoho) don madaidaicin madauki), sanin maɓallin RNDC ba a buƙata) ko ƙirƙirar wani babban kaya a yanayin DNS-over-TLS. An warware rashin lahani a cikin sakin BIND 9.16.44, 9.18.19, da 9.19.17.
  • CVE-2023-4504 rauni ne a cikin sabar bugu na CUPS da ɗakin karatu na libppd wanda ke haifar da cikar buffer lokacin da aka tsara takaddun Postscript na musamman. Yana yiwuwa a yi amfani da raunin da ya faru don tsara aiwatar da lambar mutum a cikin tsarin. An warware matsalar a cikin fitowar CUPS 2.4.7 (patch) da libppd 2.0.0 (patch).

source: budenet.ru

Add a comment