Mu kasamalidwe ka phukusi la Cargo, omwe amagwiritsidwa ntchito poyang'anira phukusi ndikumanga ma projekiti mu chilankhulo cha Rust, ziwopsezo ziwiri zadziwika zomwe zitha kugwiritsidwa ntchito potsitsa mapaketi opangidwa mwapadera kuchokera kumalo osungira anthu ena (zinenedwa kuti ogwiritsa ntchito malo ovomerezeka a crates.io sizikukhudzidwa ndi vuto). Chiwopsezo choyamba (CVE-2022-36113) chimalola ma byte awiri oyamba a fayilo iliyonse kuti alembetsedwe malinga ngati zilolezo zilipo. Chiwopsezo chachiwiri (CVE-2022-36114) chingagwiritsidwe ntchito kuthetsa malo a disk.
Zowopsazi zidzakonzedwa pakutulutsidwa kwa Rust 1.64, yomwe idakonzedwa pa Seputembara 22. Zofookazo zimapatsidwa kuopsa kocheperako, chifukwa kuvulazidwa kofananako kumatha kuchitika mukamagwiritsa ntchito mapaketi osatsimikiziridwa kuchokera kunkhokwe za chipani chachitatu pogwiritsa ntchito luso lokhazikika poyambitsa zowongolera kuchokera pamawu amsonkhano kapena ma macros operekedwa mu phukusi. Nthawi yomweyo, mavuto omwe tawatchulawa amasiyana chifukwa amawagwiritsa ntchito potsegula phukusi pambuyo potsitsa (popanda msonkhano).
Makamaka, mutatha kutsitsa phukusi, katundu amatsegula zomwe zili mkati mwake mu ~/.cargo directory ndikusunga chizindikiro cha kutulutsa bwino mu fayilo ya .cargo-ok. Chofunikira cha chiwopsezo choyamba ndikuti wopanga phukusi amatha kuyika ulalo wophiphiritsa mkati ndi dzina .cargo-ok, zomwe zidzatsogolera kulemba mawu oti "chabwino" ku fayilo yomwe idalozedwa ndi ulalo.
Chiwopsezo chachiwiri chimayamba chifukwa cha kusowa kwa malire pa kukula kwa deta yomwe yatulutsidwa muakale, yomwe ingagwiritsidwe ntchito kupanga "mabomba a zip" (zosungirako zitha kukhala ndi data yomwe imalola kukwaniritsa chiΕ΅erengero chapamwamba cha zip - pafupifupi Nthawi 28 miliyoni, pankhaniyi, mwachitsanzo, fayilo ya zip yokonzedwa mwapadera ya 10 MB ipangitsa kuti kuchepetsedwa kwa data pafupifupi 281 TB).
Source: opennet.ru