Ho hloahloa (CVE-2024-2961) ho laeborari ea C e tloaelehileng ea Glibc e lebisang ho buffer ho phalla ha o fetolela likhoele tse hlophisitsoeng ka mokhoa o ikhethileng ho khouto ea ISO-2022-CN-EXT ho sebelisoa setšoantšo sa iconv(). Mofuputsi ea khethileng bothata o rera ho fana ka tlhahiso kopanong ea OffensiveCon ka la 10 Motšeanong, eo phatlalatso ea eona e buang ka monyetla oa ho sebelisa monyetla oa ho ba kotsing ka likopo tse ngotsoeng ho PHP. Taba ena e boleloa e ama tikoloho eohle ea PHP le lits'ebetso tse ling.
Ha o fetolela likhoele tse kentsoeng tsa UCS4, joalo ka ha ho hlokoa ke RFC 1922, laeborari e eketsa litlhaku tse ling ho totobatsa likarolo tsa khoele moo khouto e fetotsoeng. Kotsi e bakoa ke tlhahlobo e fosahetseng ea moeli oa li-buffers tsa ka hare ke iconv() ts'ebetso, e ka lebisang ho buffer ho tlala ho fihla ho li-byte tse 4. Ha buffer e tletse, litekanyetso tse itseng tse tsitsitseng li ka ngoloa, joalo ka '$+I', '$+J', '$+K', '$+L', '$+M' le '$* H'. Le hoja tšebeliso ea tlokotsi e joalo ea ho phethahatsa khoutu e bonahala e le ntho e ke keng ea etsahala, ho ea ka mofuputsi ea fumaneng bothata, sena se ne se lekane ho lokisetsa mekhoa e mengata ea ts'ebetso bakeng sa tlhaselo e hōle ea likopo tsa PHP, e lebisang ho ts'ebetsong ea khoutu.
Ho ba kotsing ho bile teng ho tloha ka 2000 mme ho ile ha lokisoa lekaleng la hajoale le ntseng le ntlafatsoa la Glibc 2.40. Tokiso e boetse e fumaneha e le li-patches tsa Glibc e lokolla 2.32 ho isa ho 2.39. Liphatlalatsong, u ka latela tokiso ea ho ba kotsing maqepheng: Debian, Ubuntu, Gentoo, RHEL, SUSE, Fedora, Arch.
Source: opennet.ru
