Chiwopsezo (CVE-2022-31214) chadziwika mu pulogalamu yodzipatula ya Firejail yomwe imalola wogwiritsa ntchito kwanuko kupeza mwayi pagulu la wolandila. Pali ntchito yomwe ikupezeka pagulu la anthu, yoyesedwa muzotulutsa za OpenSUSE, Debian, Arch, Gentoo ndi Fedora ndi zida zamoto zomwe zayikidwa. Nkhaniyi idakhazikitsidwa mu firejail 0.9.70 kumasulidwa. Monga njira yodzitetezera, mutha kukhazikitsa magawo a "join no" ndi "force-nonewprivs inde" pazosintha (/etc/firejail/firejail.config).
Firejail imagwiritsa ntchito malo a mayina, AppArmor, ndi kusefa kuyimba foni (seccomp-bpf) mu Linux kuti ikhale yokhayokha, koma imafuna mwayi wapamwamba kuti ukhazikitse kuphedwa kwapayekha, zomwe zimapeza pomanga muzu wogwiritsa ntchito mbendera kapena kuthamanga ndi sudo. Kusatetezeka kumadza chifukwa cha zolakwika mumalingaliro a "--join="". ", yofuna kulumikizidwa ku malo akutali omwe ayamba kale (ofanana ndi lamulo lolowera kumalo a sandbox) ndi tanthauzo la chilengedwe ndi chizindikiritso chomwe chikuyenda mmenemo. Pa gawo la pre-privilege reset, firejail imasankha mwayi wa ndondomeko yomwe yatchulidwa ndikuyigwiritsa ntchito ku ndondomeko yatsopano yomwe imagwirizanitsidwa ndi chilengedwe pogwiritsa ntchito "-join" njira.
Isanalumikizidwe, imayang'ana ngati njira yomwe yatchulidwa ikugwira ntchito m'malo amoto. Chekechi chimayang'ana kupezeka kwa fayilo /run/firejail/mnt/join. Kuti agwiritse ntchito chiwopsezochi, wowukira atha kutengera malo ongopeka, osakhala okhaokha a ndende yozimitsa moto pogwiritsa ntchito mount namespace, ndikulumikizana nayo pogwiritsa ntchito njira ya "--join". Ngati zokonda sizikuletsa njira yoletsa kupeza mwayi wowonjezera m'njira zatsopano (prctl NO_NEW_PRIVS), firejail idzalumikiza wogwiritsa ntchito ku malo osavomerezeka ndikuyesa kugwiritsa ntchito zoikamo za malo amtundu wa init (PID 1).
Zotsatira zake, njira yolumikizidwa kudzera pa "firejail -join" idzakhala mu dzina lachidziwitso choyambirira cha wogwiritsa ntchito ndi mwayi wosasinthika, koma m'malo ena okwera, olamulidwa kwathunthu ndi wowukirayo. Wowukira amathanso kukhazikitsa mapulogalamu okhazikika pamalo omwe adapanga, zomwe zimalola, mwachitsanzo, kusintha / etc/sudoers zoikamo kapena magawo a PAM muulamuliro wake wamafayilo ndikutha kutsata malamulo ndi ufulu wa mizu pogwiritsa ntchito sudo kapena su zothandiza.
Source: opennet.ru