Pulogalamu ya ProHoster > Blog > nkhani zapaintaneti > Zowopsa m'malaibulale a X.Org, awiri mwa omwe akhalapo kuyambira 1988

Zowopsa m'malaibulale a X.Org, awiri mwa omwe akhalapo kuyambira 1988

Zambiri zatulutsidwa pafupi ndi zovuta zisanu mumalaibulale a libX11 ndi libXpm opangidwa ndi pulojekiti ya X.Org. Nkhanizi zidathetsedwa mu libXpm 3.5.17 ndi libX11 1.8.7 zotulutsidwa. Zowopsa zitatu zadziwika mu laibulale ya libx11, yomwe imapereka ntchito ndikukhazikitsa kwa kasitomala protocol ya X11:

  • CVE-2023-43785 - Kusefukira kwa buffer mu libX11 code kumachitika mukakonza yankho kuchokera pa seva ya X yokhala ndi zilembo zingapo zomwe sizikugwirizana ndi pempho la XkbGetMap lomwe linatumizidwa kale. Kusatetezekaku kumadza chifukwa cha cholakwika mu X11R6.1 chomwe chakhalapo kuyambira 1996. Chiwopsezochi chitha kugwiritsidwa ntchito pomwe pulogalamu yogwiritsa ntchito libx11 ilumikizidwa ku seva yoyipa ya X kapena projekiti yoyendetsedwa ndi owukira.
  • CVE-2023-43786 - Kutopa kwa stack chifukwa cha kubwereza kosatha mu PutSubImage() ntchito mu libX11, yomwe imachitika pokonza deta yopangidwa mwapadera mu mtundu wa XPM. Chiwopsezo chakhalapo kuyambira pomwe X11R2 idatulutsidwa mu February 1988.
  • CVE-2023-43787 Kusefukira kwa chiwerengero mu XCreateImage() ntchito mu libX11 kumabweretsa kusefukira kwa mulu chifukwa cha zolakwika pakuwerengera kukula komwe sikukugwirizana ndi kukula kwenikweni kwa data. Ntchito yavuto ya XCreateImage() imatchedwa XpmReadFileToPixmap() ntchito, yomwe imalola kugwiritsa ntchito chiwopsezo pokonza fayilo yopangidwa mwapadera mu mtundu wa XPM. Chiwopsezo chakhalaponso kuyambira X11R2 (1988).

Kuphatikiza apo, ziwopsezo ziwiri zawululidwa mulaibulale ya libXpm (CVE-2023-43788 ndi CVE-2023-43789), chifukwa chotha kuwerenga kuchokera kumadera omwe ali kunja kwa malire omwe adapatsidwa. Zovuta zimachitika mukatsitsa ndemanga kuchokera ku buffer mu kukumbukira ndikukonza fayilo ya XPM yokhala ndi mapu olakwika amtundu. Zofooka zonsezi zidayamba mu 1998 ndipo zidapezeka pogwiritsa ntchito kuzindikira zolakwika za kukumbukira ndi zida zoyeserera za AddressSanitizer ndi libFuzzer.

X.org ili ndi zovuta zachitetezo zakale, monga zaka khumi zapitazo, ku 30th Chaos Communication Congress (CCC), zomwe wofufuza wachitetezo Ilja van Sprundel adapereka theka la zowonetsera kumavuto mu seva ya X.Org, ndi theka lina. theka la chitetezo cha malaibulale a kasitomala a X11. Lipoti la Ilya, lomwe mu 2013 lidazindikira ziwopsezo za 30 zomwe zimakhudza malaibulale osiyanasiyana a kasitomala a X11, komanso zida za Mesa's DRI, zidaphatikizanso mawu okhudza mtima ngati "GLX ndi wodetsa nkhawa kwambiri! 80 mizere yowopsa! ndipo β€œNdapezamo zolakwika 000 m’miyezi ingapo yapitayo, ndipo sindinamalizebe kuiwonabe.”

Source: opennet.ru

Kuwonjezera ndemanga