Chiwopsezo chawululidwa (CVE-2021-4160) mu laibulale yachinsinsi ya OpenSSL chifukwa cha zolakwika pakukhazikitsa adder mu ntchito ya BN_mod_exp, zomwe zimapangitsa kubweza zotsatira zolakwika za squaring operation. Nkhaniyi imangochitika pa hardware yotengera MIPS32 ndi MIPS64, ndipo imatha kusokoneza ma algorithms a elliptic curve, kuphatikiza omwe amagwiritsidwa ntchito mosakhazikika mu TLS 1.3. Nkhaniyi idakonzedwa muzosintha za Disembala OpenSSL 1.1.1m ndi 3.0.1.
Zikudziwika kuti kukhazikitsidwa kwa kuukira kwenikweni kuti mudziwe zambiri za makiyi achinsinsi pogwiritsa ntchito vuto lomwe lazindikiridwa limaganiziridwa kuti ndi RSA, DSA ndi Diffie-Hellman algorithm (DH, Diffie-Hellman) momwe zingathere, koma zokayikitsa, zovuta kwambiri kuti zitheke. zimafuna zida zazikulu zamakompyuta. Pachifukwa ichi, kuwukira kwa TLS sikuphatikizidwa, chifukwa mu 2016, pochotsa chiopsezo cha CVE-2016-0701, kugawana kiyi imodzi yachinsinsi ya DH pakati pa makasitomala kunali koletsedwa.
Kuphatikiza apo, ziwopsezo zingapo zomwe zadziwika posachedwa pamapulojekiti otseguka zitha kudziwika:
- Zowopsa zingapo (CVE-2022-0330) mu dalaivala wazithunzi za i915 chifukwa chosowa kukonzanso kwa GPU TLB. Ngati IOMMU (kumasulira maadiresi) sikugwiritsidwa ntchito, chiwopsezocho chimalola mwayi wofikira masamba okumbukira mwachisawawa kuchokera kumalo ogwiritsira ntchito. Vutoli litha kugwiritsidwa ntchito kuipitsa kapena kuwerenga ma data ochokera m'malo okumbukira mwachisawawa. Vutoli limapezeka pa ma Intel GPU onse ophatikizika komanso osadziwika. Kukonzekera kumakhazikitsidwa ndikuwonjezera kukakamizidwa kwa TLB musanagwire ntchito iliyonse yobwezeretsa buffer ya GPU kudongosolo, zomwe zipangitsa kuti magwiridwe antchito achepe. Zochita zimatengera GPU, magwiridwe antchito a GPU, komanso kuchuluka kwadongosolo. Kukonzekera kumangopezeka ngati chigamba.
- Vulnerability (CVE-2022-22942) mu vmwgfx graphics driver, yomwe imagwiritsidwa ntchito poyambitsa mathamangitsidwe a 3D m'malo a VMware. Nkhaniyi imalola wogwiritsa ntchito wopanda mwayi kupeza mafayilo otsegulidwa ndi njira zina pamakina. Kuwukira kumafuna mwayi wopeza chipangizo / dev/dri/card0 kapena /dev/dri/rendererD128, komanso kuthekera kotulutsa ioctl() kuyimba ndi chofotokozera fayilo.
- Zowopsa (CVE-2021-3996, CVE-2021-3995) mu laibulale ya libmount yomwe ili mu util-linux phukusi imalola wogwiritsa ntchito wopanda mwayi kutsitsa magawo a disk popanda chilolezo kutero. Vutoli lidadziwika pakuwunika kwa mapulogalamu a SUID-root umount and fusermount.
- Zowopsa mu laibulale yokhazikika ya C Glibc yomwe ikukhudza njira yeniyeni (CVE-2021-3998) ndi ntchito za getcwd (CVE-2021-3999).
- Vuto lomwe lili mu realpath() limayamba chifukwa chobweza mtengo wolakwika nthawi zina, wokhala ndi data yotsalira yomwe sinathetsedwe kuchokera pamndandanda. Pa pulogalamu ya SUID-root fusermount, chiwopsezocho chingagwiritsidwe ntchito kupeza zidziwitso zachidziwitso kuchokera ku memory memory, mwachitsanzo, kuti mudziwe zambiri zolozera.
- Vuto mu getcwd() limalola kusefukira kwa bayiti imodzi. Vutoli limadza chifukwa cha cholakwika chomwe chakhalapo kuyambira 1995. Kuti mupangitse kusefukira, ingoyitanitsani chdir() pa "/" chikwatu pamalo ena okwera. Palibe mawu oti chiwopsezocho chimangokhala pakukonza ngozi, koma pakhala pali zochitika zogwirira ntchito zomwe zimapangidwira pachiwopsezo chofananira m'mbuyomu, ngakhale amakayikira.
- Chiwopsezo (CVE-2022-23220) mu phukusi la usbview chimalola ogwiritsa ntchito akumaloko olowera kudzera pa SSH kuti apereke khodi ngati mizu chifukwa chokhazikitsa malamulo a PolKit (allow_any=yes) ogwiritsira ntchito usbview ngati mizu popanda kutsimikizika. Kugwiritsa ntchito kumatsikira pakugwiritsa ntchito njira ya "-gtk-module" kuti muyike laibulale yanu mu usbview. Vutoli limakhazikitsidwa mu usbview 2.2.
Source: opennet.ru