Phukusi la ImageMagick, lomwe nthawi zambiri limagwiritsidwa ntchito ndi opanga mawebusayiti kuti asinthe zithunzi, lili ndi chiopsezo cha CVE-2022-44268, chomwe chingayambitse kutulutsa kwamafayilo ngati zithunzi za PNG zokonzedwa ndi wowukira zisinthidwa pogwiritsa ntchito ImageMagick. Kusatetezeka kumakhudza machitidwe omwe amakonza zithunzi zakunja ndikulola kuti zotsatira zotembenuka zikwezedwe.
Chiwopsezochi chimayamba chifukwa chakuti ImageMagick ikakonza chithunzi cha PNG, imagwiritsa ntchito zomwe zili mugawo la "mbiri" kuchokera pa block ya metadata kuti idziwe dzina la fayilo, lomwe limaphatikizidwa mufayiloyo. Chifukwa chake, pakuwukira, ndikwanira kuwonjezera gawo la "mbiri" ndi njira yofunikira ya fayilo ku chithunzi cha PNG (mwachitsanzo, "/ etc/passwd") komanso pokonza chithunzi chotere, mwachitsanzo, posintha chithunzicho. , zomwe zili mu fayilo yofunikira zidzaphatikizidwa mu fayilo yotulutsa . Ngati mungatchule "-" m'malo mwa dzina lafayilo, wogwirizira amadikirira kuti alowe kuchokera pamtsinje wokhazikika, womwe ungagwiritsidwe ntchito kuletsa ntchito (CVE-2022-44267).
Zosintha kuti zithetse chiwopsezocho sizinatulutsidwebe, koma opanga ImageMagick adalimbikitsa kuti ngati njira yoletsa kutayikira, pangani lamulo pazosintha zomwe zimalepheretsa njira zina zamafayilo. Mwachitsanzo, kukana mwayi wolowera kudzera m'njira zonse komanso zogwirizana, mutha kuwonjezera zotsatirazi ku policy.xml:
Zolemba zopangira zithunzi za PNG zomwe zimagwiritsa ntchito kusatetezeka zapezeka kale pagulu.
Source: opennet.ru