GitHub yakaratidza ruzivo rwekusagadzikana kunomwe mu tar uye @npmcli/arborist mapakeji, ayo anopa mabasa ekushanda netar archives uye kuverenga muti wekutsamira muNode.js. Kusagadzikana kunobvumira, kana uchiburitsa archive yakanyatsogadzirirwa, kunyora mafaera kunze kwemudzi wedhairekitori umo kuburitswa kunoitwa, kusvika pazvinobvumidzwa kodzero dzekuwana. Matambudziko anoita kuti zvikwanisike kuronga kuitwa kwekodhi kodhi pane sisitimu, semuenzaniso, nekuwedzera mirairo ku ~/.bashrc kana ~/.profile kana oparesheni ichiitwa nemushandisi asina kurongeka, kana nekutsiva mafaira ehurongwa paunenge uchishanda se mudzi.
Ngozi yekusagadzikana inowedzerwa nenyaya yekuti kodhi ine dambudziko inoshandiswa munpm package maneja kana ichiita mashandiro nenpm mapakeji, izvo zvinoita kuti zvikwanise kuronga kurwiswa kwevashandisi nekuisa yakanyatso gadzirwa npm package mune repository, iyo kugadzirisa. iyo ichaita kodhi yeanorwisa pane system. Kurwiswa kunogoneka kunyangwe uchiisa mapakeji mu "-ignore-scripts" modhi, iyo inoremadza kuitwa kweakavakirwa-mukati zvinyorwa. Pakazara, npm inobata kusazvibata ina (CVE-2021-32804, CVE-2021-37713, CVE-2021-39134 uye CVE-2021-39135) kubva pamanomwe. Matambudziko maviri ekutanga ane chekuita ne tar package, uye maviri asara ane chekuita ne @npmcli/arborist package.
Kusagadzikana kwakanyanya, CVE-2021-32804, kunokonzerwa nenyaya yekuti kana uchibvisa nzira dzakakwana dzakatsanangurwa mudura retare, mavara akadzokororwa "/" anogadziriswa zvisizvo - hunhu hwekutanga chete hunobviswa, vamwe vese vachisara. Semuenzaniso, nzira "/home/user/.bashrc" ichashandurwa kuita "home/user/.bashrc" uye nzira "//home/user/.bashrc" kuenda ku "/home/user/.bashrc". Kusagadzikana kwechipiri, CVE-2021-37713, inongowanikwa paWindows papuratifomu uye inosanganiswa nekucheneswa zvisirizvo kwenzira dzehukama dzinosanganisira undelimited drive character ("C: some\ path") uye kutevedzana kudzokera kune yakapfuura dhairekitori ( "C:../foo") .
Vulnerabilities CVE-2021-39134 uye CVE-2021-39135 yakanangana neiyo @npmcli/arborist module. Dambudziko rekutanga rinoonekwa chete pane masisitimu asingasiyanise nyaya yevatambi mufaira system (macOS neWindows), uye inokutendera kuti unyore mafaera kune inopokana chikamu chefaira system nekutsanangura mamodule maviri "foo" pakati pezvinoenderana. : "file:/some/path"' uye 'FOO: "file:foo.tgz"', kugadziridzwa kunozotungamira mukudzima zviri mukati me /some/path dhairekitori uye kunyora zviri mukati foo.tgz kwairi. Dambudziko rechipiri rinobvumira mafaera kuti anyorwe kuburikidza nekufananidzira link manipulation.
Kusagadzikana kunogadziriswa muNode.js inoburitsa 12.22.6 uye 14.17.6, npm CLI 6.14.15 uye 7.21.0, uye yega tar package inoburitsa 4.4.19, 5.0.11, uye 6.1.10. Mushure mekugamuchira ruzivo nezve dambudziko sechikamu che "bug bounty" chirongwa, GitHub yakabhadhara vaongorori madhora zviuru gumi nezvina nemazana mashanu uye yakaongorora zviri mukati meiyo repository, izvo zvisina kuratidza kuyedza kushandisa kusagadzikana. Kuchengetedza kubva kune idzi nyaya, GitHub yakarambidzawo kushambadza NPM mapakeji anosanganisira ekufananidzira zvinongedzo, zvakaoma zvinongedzo, uye mhedziso nzira dzekuenda kunzvimbo yekuchengetera.
Source: opennet.ru