Chiwopsezo (CVE-2022-21658) chadziwika mu laibulale ya Rust wamba chifukwa cha mtundu womwe uli mu std::fs::remove_dir_all() ntchito. Ngati ntchitoyi igwiritsidwa ntchito kufufuta mafayilo osakhalitsa mu pulogalamu yamwayi, wowukira atha kukwaniritsa kufufutidwa kwa mafayilo amakina ndi maulolezo omwe wowukirayo sangakhale ndi mwayi wochotsa.
Chiwopsezochi chimadza chifukwa chakugwiritsa ntchito molakwika maulalo ophiphiritsa musanachotse mobwerezabwereza maulalo. M'malo moletsa ma symlink kuti asatsatidwe, remove_dir_all() fufuzani kaye ngati fayiloyo ndi symlink. Ngati ulalo wafotokozedwa, ndiye kuti umachotsedwa ngati fayilo, ndipo ngati ndi chikwatu, ndiye kuti ntchito yochotsa zinthu zobwereza imatchedwa. Vuto ndiloti pali kuchedwa pang'ono pakati pa cheke ndi kuyamba kwa ntchito yochotsa.
Pa nthawi yomwe cheke yachitika kale, koma ntchito yowerengera zolemba kuti ichotsedwe siinayambe, wowukirayo atha kusintha chikwatucho ndi mafayilo osakhalitsa okhala ndi ulalo wophiphiritsa. Ngati ifika pa nthawi yoyenera, ntchito ya remove_dir_all() idzatenga ulalo wophiphiritsa ngati chikwatu ndikuyamba kuchotsa zomwe ulalowo ukulozera. Ngakhale kuti kupambana kwa chiwonongekocho kumadalira kulondola kwa nthawi yosankhidwa yochotsa chikwatu ndikugunda nthawi yoyenera nthawi yoyamba sikungatheke, panthawi yoyesera ochita kafukufuku adatha kukwaniritsa kubwereza kobwerezabwereza pambuyo pochita ntchitoyo mkati. masekondi angapo.
Mitundu yonse ya Rust kuchokera ku 1.0.0 mpaka 1.58.0 kuphatikiza imakhudzidwa. Nkhaniyi yathetsedwa mu mawonekedwe a chigamba pakali pano (kukonza kudzaphatikizidwa mu kumasulidwa kwa 1.58.1, komwe kukuyembekezeka mkati mwa maola angapo). Mutha kuyang'anira kuchotsedwa kwa chiwopsezo pakugawira masamba awa: Debian, RHEL, SUSE, Fedora, Ubuntu, Arch, FreeBSD. Onse ogwiritsa ntchito mapulogalamu a Rust omwe ali ndi mwayi wapamwamba komanso kugwiritsa ntchito kuchotsa_dir_all akulangizidwa kuti asinthe mwachangu Rust kuti ikhale 1.58.1. Ndizosangalatsa kuti chigamba chomwe chatulutsidwa sichimathetsa vutoli pamakina onse; mwachitsanzo, mu REDOX OS ndi mitundu ya macOS isanafike 10.10 (Yosemite), chiwopsezocho sichimatsekedwa chifukwa chosowa mbendera ya O_NOFOLLOW, yomwe imalepheretsa kutsatira zophiphiritsa. maulalo.
Source: opennet.ru