GitHub yawulula tsatanetsatane wa ziwopsezo zisanu ndi ziwiri pamaphukusi a tar ndi @npmcli/arborist, omwe amapereka ntchito zogwirira ntchito ndi zolemba zakale za tar ndikuwerengera mtengo wodalira mu Node.js. Ziwopsezo zimalola, potulutsa zakale zopangidwira mwapadera, kuti zilembetsenso mafayilo kunja kwa chikwatu chomwe amachotsamo, malinga ndi momwe ufulu wofikira ukuloleza. Mavutowa amapangitsa kuti pakhale zotheka kulinganiza kuchitidwa kwa kachidindo kosagwirizana pa dongosolo, mwachitsanzo, powonjezera malamulo ku ~/.bashrc kapena ~/.profile pamene ntchito ikuchitidwa ndi wogwiritsa ntchito mosasamala, kapena posintha mafayilo amtundu pamene akugwira ntchito monga mizu.
Kuopsa kwa chiwopsezo kumakulitsidwa chifukwa chakuti nambala yovuta imagwiritsidwa ntchito mu npm phukusi loyang'anira pochita ntchito ndi mapaketi a npm, zomwe zimapangitsa kuti zitheke kuwononga ogwiritsa ntchito poyika phukusi la npm lopangidwa mwapadera m'malo osungira, kukonza. yomwe idzapereka code ya wowukira pa dongosolo. Kuwukirako kumatheka ngakhale pakuyika phukusi mu "-ignore-scripts" mode, zomwe zimalepheretsa kukhazikitsidwa kwa zolemba zomangidwa. Pazonse, npm imakhudza ziwopsezo zinayi (CVE-2021-32804, CVE-2021-37713, CVE-2021-39134 ndi CVE-2021-39135) mwa asanu ndi awiri. Mavuto awiri oyamba amakhudza phukusi la phula, ndipo awiri otsalawo amakhudza phukusi la @npmcli/arborist.
Chiwopsezo chowopsa kwambiri, CVE-2021-32804, chimayamba chifukwa chochotsa njira zonse zomwe zafotokozedwa munkhokwe ya phula, zilembo zobwerezedwa "/" zimasinthidwa molakwika - munthu woyamba yekha ndiye amachotsedwa, pomwe ena onse amasiyidwa. Mwachitsanzo, njira "/home/user/.bashrc" idzasinthidwa kukhala "home/user/.bashrc" ndi njira "//home/user/.bashrc" kupita ku "/home/user/.bashrc". Chiwopsezo chachiwiri, CVE-2021-37713, chimangowoneka papulatifomu ya Windows ndipo chimalumikizidwa ndi kuyeretsa kolakwika kwa njira zachibale zomwe zimaphatikizira mawonekedwe osawerengeka agalimoto ("C: some\path") ndikutsatizana kubwerera ku chikwatu cham'mbuyomu ( "C:../foo") .
Vulnerabilities CVE-2021-39134 ndi CVE-2021-39135 ndizolunjika ku @npmcli/arborist module. Vuto loyamba limangowoneka pamakina omwe samasiyanitsa mawonekedwe a mafayilo (macOS ndi Windows), ndipo amakulolani kuti mulembe mafayilo ku gawo losagwirizana la fayilo pofotokoza ma module awiri "foo" pakati pa zodalira. : "file:/some/path"' ndi 'FOO: "file:foo.tgz"', kukonza komwe kudzatsogolera kuchotsa zomwe zili mu /some/path directory ndi kulemba zomwe zili mu foo.tgz. Vuto lachiwiri limalola mafayilo kuti alembetsedwe kudzera mukusintha ulalo wophiphiritsa.
Zowonongeka zimathetsedwa mu Node.js imatulutsa 12.22.6 ndi 14.17.6, npm CLI 6.14.15 ndi 7.21.0, ndi phukusi la tar la munthu aliyense limatulutsa 4.4.19, 5.0.11, ndi 6.1.10. Atalandira zambiri za vutoli ngati gawo la "bug bounty", GitHub adalipira ofufuzawo $ 14500 ndikusanthula zomwe zili m'nkhokwe, zomwe sizinawulule zoyesa kugwiritsa ntchito zovuta. Kuti muteteze kuzinthu izi, GitHub yaletsanso kusindikiza mapepala a NPM omwe amaphatikizapo maulalo ophiphiritsa, maulalo olimba, ndi njira zonse zopita kumalo osungirako.
Source: opennet.ru