Zowopsa zokhudzana ndi kukonza kolakwika kwa ma adilesi a IP okhala ndi manambala a octal mu ntchito zogawa ma adilesi zadziwika m'malaibulale okhazikika a zilankhulo za Rust ndi Go. Kusatetezeka kumapangitsa kuti zitheke kudumpha ma adilesi ovomerezeka mu mapulogalamu, mwachitsanzo, kukonza mwayi wopeza ma adilesi a loopback (127.xxx) kapena ma intranet subnets pochita ziwonetsero za SSRF (Server-side request forgery). Zowopsazi zikupitilira zovuta zomwe zidadziwika kale mu library node-netmask (JavaScript, CVE-2021-28918, CVE-2021-29418), private-ip (JavaScript, CVE-2020-28360), ipaddress (Python, CVE- 2021-29921 ), Data :: Validate :: IP (Perl, CVE-2021-29662) ndi Net:: Netmask (Perl, CVE-2021-29424).
Malinga ndi zomwe zafotokozedwera, zingwe za adilesi ya IP kuyambira ndi zero ziyenera kutanthauziridwa ngati manambala octal, koma malaibulale ambiri samaganizira izi ndikungotaya ziro, kutengera mtengo wake ngati nambala ya decimal. Mwachitsanzo, nambala 0177 mu octal ndi yofanana ndi 127 mu decimal. Wowukira atha kupempha chothandizira pofotokoza mtengo "0177.0.0.1", womwe mumatchulidwe a decimal amafanana ndi "127.0.0.1". Ngati laibulale yamavuto ikugwiritsidwa ntchito, pulogalamuyo sizindikira kuti adilesi 0177.0.0.1 ili mu subnet 127.0.0.1/8, koma kwenikweni, ikatumiza pempho, imatha kupeza adilesi "0177.0.0.1", yomwe ntchito za netiweki zidzasinthidwa ngati 127.0.0.1. Momwemonso, mutha kubera cheke chofikira maadiresi a intraneti potchula zinthu monga "012.0.0.1" (zofanana ndi "10.0.0.1").
Ku Rust, laibulale yokhazikika "std::net" idakhudzidwa ndi vuto (CVE-2021-29922). Wosankha ma adilesi a IP a laibulale iyi adataya ziro ziro zisanachitike pa adilesiyo, koma pokhapokha ngati palibe manambala opitilira atatu, mwachitsanzo, "0177.0.0.1" angawoneke ngati mtengo wolakwika, komanso zotsatira zolakwika. idzabwezeredwa poyankha 010.8.8.8 ndi 127.0.026.1 . Mapulogalamu omwe amagwiritsa ntchito std::net::IpAddr popanga ma adilesi omwe atchulidwa ndi ogwiritsa ntchito amatha kugwidwa ndi SSRF (Server-side request forgery), RFI (Remote File Inclusion) ndi LFI (Local File Inclusion). Chiwopsezocho chinakhazikitsidwa munthambi ya Rust 1.53.0.
Mu Go, laibulale yokhazikika "net" imakhudzidwa (CVE-2021-29923). Ntchito yomangidwa ndi net.ParseCIDR imalumpha ziro patsogolo pa manambala a octal m'malo mozikonza. Mwachitsanzo, wowukira akhoza kudutsa mtengo 00000177.0.0.1, womwe, ukayang'aniridwa mu net.ParseCIDR(00000177.0.0.1/24) ntchito, idzagawidwa ngati 177.0.0.1/24, osati 127.0.0.1/24. Vutoli limadziwonetseranso pa nsanja ya Kubernetes. Chiwopsezocho chimakhazikika mu Go kumasulidwa 1.16.3 ndi beta 1.17.
Source: opennet.ru