Qualys yakaratidza kusazvibata kuviri (CVE-2021-44731, CVE-2021-44730) mune snap-confine utility, yakapihwa neSUID mudzi mureza uye yakadanwa neiyo snapd maitiro kugadzira nharaunda inogoneka yezvikumbiro zvinounzwa mumapakeji ega. mune snap format. Kusagadzikana kunobvumira mushandisi wemuno asina rusarura kuti aite kodhi ine midzi ropafadzo pane system. Nyaya idzi dzinogadziriswa mune yanhasi snapd package update yeUbuntu 21.10, 20.04 uye 18.04.
Kusagadzikana kwekutanga (CVE-2021-44730) inobvumira kurwiswa kuburikidza neyakaoma link manipulation, asi inoda kudzima system hard link kuchengetedza (kuseta sysctl fs.protected_hardlinks ku0). Dambudziko rinokonzerwa nekusasikwa kwechokwadi kwenzvimbo yemafaira anoteeka eiyo snap-update-ns uye snap-discard-ns mapurogiramu ekubatsira anomhanya semidzi. Nzira yekuenda kumafaira aya yakaverengerwa mu sc_open_snapd_tool() basa zvichibva munzira yaro kubva ku/proc/self/exe, iyo inokutendera kuti ugadzire chinongedzo chakaoma chekudzvanya-vharira mudhairekitori rako uye woisa yako shanduro ye snap- update-ns uye snap- utilities mune ino dhairekitori kurasa-ns. Mushure mekumhanya kuburikidza neyakaoma link, snap-confine nemidzi kodzero ichavhura iyo snap-update-ns uye snap-discard-ns mafaera kubva kune yazvino dhairekitori, inotsiviwa neanorwisa.
Kusagadzikana kwechipiri kunokonzerwa nemamiriro emujaho uye kunogona kushandiswa mukumisikidzwa kweUbuntu Desktop. Kuti iko kushandiswa kushande zvinobudirira muUbuntu Server, unofanirwa kusarudza imwe yemapakeji kubva ku "Featured Server Snaps" chikamu paunenge uchiisa. Mamiriro emujaho anoonekwa mune setup_private_mount() basa rinodaidzwa panguva yekugadzirira kwegomo rezita renzvimbo ye snap package. Iri basa rinogadzira dhairekitori renguva pfupi "/tmp/snap.$SNAP_NAME/tmp" kana rinoshandisa riripo kuti risunge-madhairekitori e snap package mariri.
Sezvo zita reiyo dhairekitori renguva pfupi richifungidzirwa, anorwisa anogona kutsiva zvirimo nechiratidzo chekubatanidza mushure mekutarisa muridzi, asi asati adaidza mount system call. Semuyenzaniso, unogona kugadzira symlink "/tmp/snap.lxd/tmp" mu/tmp/snap.lxd dhairekitori inonongedza kudhairekitori risingaite, uye kufona ku mount() kuchatevera symlink uye kukwidza dhairekitori mu. snap namespace. Nenzira yakafanana, unogona kukwidza zvirimo mukati /var/lib uye, nekutsiva /var/lib/snapd/mount/snap.snap-store.user-fstab, ronga kukwidzwa kwe /etc dhairekitori munzvimbo yezita re iyo snap package yekuronga kurodha raibhurari yako kubva nemidzi kodzero nekutsiva /etc/ld.so.preload.
Zvinocherechedzwa kuti kugadzira kubiridzira kwakazove kusiri-diki basa, sezvo snap-confine utility yakanyorwa muGo uchishandisa nzira dzakachengeteka dzehurongwa, ine dziviriro yakavakirwa paAppArmor profiles, mafirita system inofona zvichibva pane seccomp mechanism, uye inoshandisa. iyo gomo namespace yekuzviparadzanisa nevamwe. Zvisinei, vatsvakurudzi vakakwanisa kugadzirira kushandiswa kwekushanda kuti vawane kodzero dzemidzi pahurongwa. Iyo yekubiridzira kodhi ichaburitswa mumavhiki mashoma mushure mevashandisi kuisa iyo yakapihwa zvigadziriso.
Source: opennet.ru