Daniel Stenberg, wolemba zida zothandizira kulandira ndi kutumiza deta pamanetiweki curl, adadzudzula kugwiritsa ntchito zida za AI popanga malipoti achiwopsezo. Malipoti oterowo amaphatikizapo tsatanetsatane watsatanetsatane, amalembedwa m'chinenero chodziwika bwino ndipo amawoneka apamwamba, koma popanda kusanthula mozama kwenikweni akhoza kusokeretsa, m'malo mwa mavuto enieni ndi zinyalala zowoneka bwino kwambiri.
Pulojekiti ya Curl imapereka mphotho pozindikira zovuta zatsopano ndipo yalandira kale malipoti a 415 azovuta zomwe zingakhalepo, zomwe 64 zokha zidatsimikiziridwa kuti ndizowopsa ndipo 77 ngati nsikidzi zopanda chitetezo. Chifukwa chake, 66% ya malipoti onse analibe chidziwitso chilichonse chothandiza ndipo amangotenga nthawi kuchokera kwa omanga omwe akanatha kugwiritsidwa ntchito pazinthu zothandiza.
Madivelopa amakakamizika kuwononga nthawi yochuluka pofotokoza malipoti opanda pake ndikuwunika kawiri zomwe zili pamenepo kangapo, popeza mawonekedwe akunja apangidwe amapanga chidaliro chowonjezera pazidziwitsozo ndipo pali kumverera kuti wopangayo sanamvetse china chake. Kumbali ina, kupanga lipoti lotere kumafuna khama lochepa kuchokera kwa wopemphayo, yemwe samavutikira kuyang'ana vuto lenileni, koma amangojambula mwachimbulimbuli zomwe adalandira kuchokera kwa othandizira AI, kuyembekezera mwayi pakulimbana kuti alandire mphotho.
Zitsanzo ziΕ΅iri za malipoti a zinyalala zotero zaperekedwa. Kutatsala tsiku limodzi kuti zidziwitso zokhuza chiopsezo cha Okutobala (CVE-2023-38545), lipoti lidatumizidwa kudzera pa Hackerone kuti chigambacho chidapezeka poyera. M'malo mwake, lipotilo linali ndi zosakanikirana za zovuta zofananira ndi zidule zazidziwitso zazachiwopsezo zakale zomwe zidapangidwa ndi wothandizira wa Google AI Bard. Zotsatira zake, chidziwitsocho chinkawoneka chatsopano komanso chofunikira, ndipo chinalibe kugwirizana ndi zenizeni.
Chitsanzo chachiwiri chikukhudzana ndi uthenga womwe unalandilidwa pa Disembala 28 wokhudza kusefukira kwa buffer mu chowongolera cha WebSocket, chotumizidwa ndi wogwiritsa ntchito yemwe anali atadziwitsa kale ma projekiti osiyanasiyana okhudzana ndi zofooka kudzera pa Hackerone. Monga njira yobweretsera vutoli, lipotilo lidaphatikizanso mawu wamba okhudza kupereka pempho losinthidwa ndi mtengo wokulirapo kuposa kukula kwa buffer yomwe imagwiritsidwa ntchito pokopera ndi strcpy. Lipotilo linaperekanso chitsanzo cha kuwongolera (chitsanzo chochotsa strcpy ndi strncpy) ndikuwonetsa ulalo wa mzere wa code "strcpy(keyval, randstr)", yomwe, malinga ndi wopemphayo, inali ndi cholakwika.
Wopangayo adayang'ana zonse katatu ndipo sanapeze vuto lililonse, koma popeza lipotilo linalembedwa molimba mtima komanso lili ndi kuwongolera, panali kumverera kuti chinachake chikusowa kwinakwake. Kuyesera kufotokozera momwe wofufuzayo adakwanitsa kudutsa cheke chowonekera bwino chomwe chidalipo musanayambe kuyimba foni ya strcpy komanso momwe kukula kwa batani la keyval kudakhalira kuchepera kukula kwa zomwe zidawerengedwa zidapangitsa kuti mwatsatanetsatane, koma osatenga zambiri, mafotokozedwe. zomwe zimangotafuna zomwe zimadziwika kuti zimayambitsa kusefukira kwa buffer zomwe sizikugwirizana ndi code ya Curl. Mayankhowo anali kukumbukira kulankhulana ndi wothandizira AI, ndipo atatha theka la tsiku pakuyesera kopanda pake kuti adziwe momwe vutoli likudziwonetsera, woyambitsayo adatsimikiza kuti panalibe chiwopsezo.
Source: opennet.ru