Ghostscript, zida zosinthira, kusintha ndi kupanga zikalata mu PostScript ndi ma PDF, ili ndi chiopsezo chachikulu (CVE-2021-3781) chomwe chimalola kupha ma code mosasamala pokonza fayilo yopangidwa mwapadera. Poyamba, vutoli linabweretsedwa kwa Emil Lerner, yemwe analankhula za chiopsezo pa August 25 pa msonkhano wa ZeroNights X womwe unachitikira ku St. kulandira mabonasi kusonyeza kuukira ntchito AirBNB, Dropbox ndi Yandex.Real Estate).
Pa Seputembara 5, ntchito yogwirira ntchito idawonekera pagulu lomwe limakupatsani mwayi wowukira machitidwe omwe akuyendetsa Ubuntu 20.04 potumiza chikalata chopangidwa mwapadera choyikidwa ngati chithunzi pamasamba omwe akuyenda pa seva pogwiritsa ntchito phukusi la php-imagemagick. Kuphatikiza apo, malinga ndi zomwe zidayambira, kugwiritsidwa ntchito kofananako kwakhala kukugwiritsidwa ntchito kuyambira Marichi. Amanenedwa kuti makina omwe akuyendetsa GhostScript 9.50 akhoza kuwukiridwa, koma zidapezeka kuti chiwopsezocho chinalipo m'mitundu yonse yotsatira ya GhostScript, kuphatikiza kutulutsidwa kwa 9.55 kuchokera ku Git.
Kukonzekeraku kudakonzedwa pa Seputembara 8th ndipo, pambuyo powunikira anzawo, adalandiridwa kumalo osungirako a GhostScript pa Seputembara 9th. M'magawidwe ambiri, vutoli limakhalabe losakhazikika (mawonekedwe a zosintha zitha kuwonedwa pamasamba a Debian, Ubuntu, Fedora, SUSE, RHEL, Arch Linux, FreeBSD, NetBSD). Kutulutsidwa kwa GhostScript komwe kuli kokonzekera kusatetezeka kwakonzedwa kuti kusindikizidwe mwezi usanathe.
Vutoli limayamba chifukwa cha kuthekera kodutsa njira yodzipatula ya "-dSAFER" chifukwa chosakwanira kuyang'ana magawo a chipangizo cha Postscript "% pipe%", zomwe zimalola kuphatikizika kwa malamulo osagwirizana. Mwachitsanzo, kuti muyambe kugwiritsa ntchito id mu chikalata, ingotchulani mzere "(% pipe%/tmp/&id)(w)file" kapena "(%pipe%/tmp/;id)(r)file".
Tikukumbutseni kuti kusatetezeka mu Ghostscript kumabweretsa chiwopsezo, popeza phukusili limagwiritsidwa ntchito m'mapulogalamu ambiri otchuka pokonza ma PostScript ndi ma PDF. Mwachitsanzo, Ghostscript imatchedwa panthawi yopanga thumbnail pakompyuta, kulondolera deta yakumbuyo, ndi kusintha kwa zithunzi. Kuti muwukire bwino, nthawi zambiri ndikwanira kungotsitsa fayiloyo ndikugwiritsa ntchito kapena kuyang'ana chikwatucho mu fayilo yoyang'anira yomwe imathandizira kuwonetsa zikwangwani, mwachitsanzo, ku Nautilus.
Zowopsa mu Ghostscript zitha kugwiritsidwanso ntchito kudzera pama processor azithunzi kutengera phukusi la ImageMagick ndi GraphicsMagick powapatsira fayilo ya JPEG kapena PNG yokhala ndi code ya PostScript m'malo mwa chithunzi (fayilo yotereyi idzasinthidwa mu Ghostscript, popeza mtundu wa MIME umadziwika ndi zokhutira, komanso popanda kudalira zowonjezera).
Source: opennet.ru