Daniel Stenberg, munyori wechishandiso chekugamuchira uye kutumira data pamusoro pe network curl, akashoropodza kushandiswa kweAI maturusi pakugadzira mishumo yekusagadzikana. Mishumo yakadaro inosanganisira ruzivo rwakadzama, zvakanyorwa mumutauro wakajairwa uye zvinotaridzika zvemhando yepamusoro, asi pasina kuongororwa zvine hungwaru muchokwadi zvinogona kungotsausa, kutsiva matambudziko chaiwo nemhando-inotaridzika yemarara.
Iyo Curl purojekiti inobhadhara mibairo yekuzivisa hutsva hutsva uye yakatogamuchira 415 mishumo yezvingangoitika matambudziko, ayo makumi matanhatu nemana chete akasimbiswa sekusagadzikana uye makumi manomwe nenomwe seasina chengetedzo tsikidzi. Nokudaro, 64% yemishumo yose yakanga isina ruzivo runobatsira uye yakangotora nguva kubva kuvagadziri iyo ingadai yakashandiswa pane chimwe chinhu chinobatsira.
Vagadziri vanomanikidzwa kutambisa nguva yakawanda vachiparura mishumo isina maturo uye kaviri-kutarisa ruzivo rwurimo kakawanda, sezvo kunze kwemhando yekugadzira kunogadzira humwe chivimbo muruzivo uye pane manzwiro ekuti mugadziri haana kunzwisisa chimwe chinhu. Nekune rimwe divi, kugadzira rondedzero yakadai kunoda kushanda nesimba kubva kune anenge akumbira, asinganetse kutarisa dambudziko chairo, asi anongokopa neupofu data rakagamuchirwa kubva kuvabatsiri veAI, achitarisira rombo rakanaka mukurwira kuwana mubairo.
Mienzaniso miviri yemishumo yakadaro yemarara inopiwa. Zuva risati raziviswa kuziviswa kweruzivo nezve njodzi yaGumiguru yenjodzi (CVE-2023-38545), chirevo chakatumirwa kuburikidza neHackerone kuti chigamba chine gadziriso chave kuwanikwa pachena. Muchokwadi, iyo rondedzero yaive nemusanganiswa wechokwadi nezve matambudziko akafanana uye snippets yeruzivo rwakadzama nezvekusagadzikana kwakapfuura kwakagadzirwa neGoogle's AI mubatsiri Bard. Somugumisiro, ruzivo rwakatarisa rutsva uye rwakakosha, uye rwakanga rusina hukama nechokwadi.
Muenzaniso wechipiri une chekuita nemeseji yakagamuchirwa muna Zvita 28 nezve buffer kufashukira muWebSocket handler, yakatumirwa nemushandisi anga atozivisa mapurojekiti akasiyana-siyana nezvekusagadzikana kuburikidza neHackerone. Senzira yekuburitsa dambudziko, chirevo chaisanganisira mazwi akajairwa nezve kupasa chikumbiro chakagadziridzwa chine kukosha kwakakura kupfuura saizi yebhafa inoshandiswa pakukopa ne strcpy. Chirevo chakapawo muenzaniso wekururamisa (muenzaniso wekutsiva strcpy ne strncpy) uye yakaratidza chinongedzo kune mutsara wekodhi "strcpy(keyval, randstr)", iyo, maererano nemunyoreri, ine chikanganiso.
Mugadziri akatarisa zvinhu zvose katatu uye haana kuwana matambudziko, asi sezvo mushumo wakanyorwa nechivimbo uye kunyange uine kururamisa, pakanga pane manzwiro ekuti chimwe chinhu chakanga chisipo pane imwe nzvimbo. Kuedza kujekesa kuti muongorori akakwanisa sei kunzvenga saizi yakajeka cheki iripo pamberi pekufona kwe strcpy uye kuti saizi yekiyi kiyi buffer yakaita sei ishoma pane saizi ye data yakaverengwa yakatungamira kune yakadzama, asi isina kutakura rumwe ruzivo, tsananguro. iyo yakangotsenga pane zviri pachena zvinokonzeresa buffer mafashama zvisina hukama neiyo Curl kodhi. Mhinduro dzacho dzaiyeuchidza kutaurirana nemubatsiri weAI, uye mushure mekupedza hafu yezuva pakuedza kusina maturo kutsvaga kuti dambudziko rinozviratidza sei, mugadziri akazogutsikana kuti pakanga pasina kukanganisa.
Source: opennet.ru