Kusagadzikana (CVE-2018-25032) kwaonekwa muraibhurari yezlib, zvichitungamira mukufashukira kwebuffer paunenge uchiedza kumanikidza kutevedzana kwakagadzirirwa kwemavara mu data rinouya. Mune chimiro chayo chazvino, vaongorori vakaratidza kugona kuita kuti nzira ipere zvisina kujairika. Kana dambudziko racho ringave nemigumisiro yakakomba haisati yadzidzwa.
Kusagadzikana kunoonekwa kutanga kubva kushanduro zlib 1.2.2.2 uye kunokanganisa kuburitswa kwazvino kwezlib 1.2.11. Izvo zvakakosha kuti chigamba chekugadzirisa kusazvibata chakatsanangurwa kumashure muna 2018, asi vagadziri vacho havana kuita hanya nazvo uye havana kuburitsa kuburitswa kwekugadzirisa (iyo zlib raibhurari yakapedzisira kuvandudzwa muna 2017). Iyo gadziriso haisati yabatanidzwa mumapakeji anopihwa nekugovera. Unogona kutarisa kuburitswa kwezvigadziriso nekugovera pamapeji aya: Debian, RHEL, Fedora, SUSE, Ubuntu, Arch Linux, OpenBSD, FreeBSD, NetBSD. Iyo zlib-ng raibhurari haina kukanganiswa nedambudziko.
Kusagadzikana kunoitika kana iyo yekupinda rwizi iine huwandu hukuru hwemachisi anofanirwa kurongedzerwa, uko kurongedza kunoiswa zvichienderana neakagadziriswa macode eHuffman. Mune mamwe mamiriro ezvinhu, zviri mukati meiyo yepakati buffer inoiswa mhedzisiro inogona kupindirana ndangariro umo chiratidzo che frequency tafura inochengetwa. Nekuda kweizvozvo, data risiri iro rakadzvanywa rinogadzirwa uye kubondera nekuda kwekunyora kunze kwemuganho webuffer.
Kusagadzikana kunogona kungoshandiswa uchishandisa nzira yekumanikidza yakavakirwa pane yakagadziriswa makodhi eHuffman. Imwe nzira yakafanana inosarudzwa kana Z_FIXED sarudzo yakagoneswa zvakajeka mukodhi (muenzaniso wekutevedzana kunotungamira mukuputsika kana uchishandisa Z_FIXED sarudzo). Tichitarisa nekodhi, iyo Z_FIXED zano inogona zvakare kusarudzwa otomatiki kana iyo yakakwana uye yakamira miti yakaverengerwa data ine saizi yakafanana.
Hazvisati zvanyatsojeka kuti mamiriro ekushandisa njodzi anogona kusarudzwa pachishandiswa Z_DEFAULT_STRATEGY compression strategy. Kana zvisiri, saka kusazvibata kunogumira kune mamwe masisitimu anoshandisa zvakajeka iyo Z_FIXED sarudzo. Kana zvirizvo, saka kukuvadzwa kubva mukusagadzikana kunogona kuve kwakakosha, sezvo raibhurari yezlib iri de facto chiyero uye inoshandiswa mumapurojekiti mazhinji anozivikanwa, anosanganisira Linux kernel, OpenSSH, OpenSSL, apache httpd, libpng, FFmpeg, rsync, dpkg. , rpm, Git, PostgreSQL, MySQL, nezvimwe.
Source: opennet.ru