Iyo ImageMagick package, iyo inowanzo shandiswa nevagadziri vewebhu kushandura mifananidzo, ine njodzi CVE-2022-44268, iyo inogona kutungamira mukudonha kwemukati wefaira kana mifananidzo yePNG inogadzirirwa neanorwisa ichishandurwa uchishandisa ImageMagick. Kusagadzikana kunokanganisa masisitimu anogadziridza mifananidzo yekunze uye obva abvumira mibairo yekushandurwa kuti itakurwe.
Kusagadzikana kunokonzerwa nenyaya yekuti kana ImageMagick ichiita mufananidzo wePNG, inoshandisa zviri mukati me "profile" parameter kubva kumetadata block kuona zita refaira refaira, iro rinosanganisirwa mufaira rinobuda. Nokudaro, nokuda kwekurwisa, zvakakwana kuwedzera "profile" parameter ine nzira yefaira inodiwa kumufananidzo wePNG (somuenzaniso, "/etc/passwd") uye paunenge uchigadzira mufananidzo wakadaro, semuenzaniso, paunoshandura mufananidzo. , zviri mukati mefaira rinodiwa zvichabatanidzwa mune yakabuda faira . Kana iwe ukatsanangura "-" pachinzvimbo chezita refaira, mubati anorembera akamirira kupinza kubva kune yakajairwa rwizi, iyo inogona kushandiswa kukonzera kuramba sevhisi (CVE-2022-44267).
Chigadziro chekugadzirisa kusagadzikana hachisati chaburitswa, asi Vagadziri veImageMagick vakakurudzira kuti sechishandiso chekuvhara kuvuza, gadzira mutemo muzvigadziriso zvinorambidza kupinda kune mamwe mafaera nzira. Semuyenzaniso, kuramba kupinda uchishandisa nzira dzakakwana uye dzinoenderana, unogona kuwedzera zvinotevera ku policy.xml:
Gwaro rekugadzira mifananidzo yePNG rinoshandisa kusazvibata rakatowanikwa pachena.
Source: opennet.ru