GitHub e senotse lintlha tsa bofokoli bo supileng ka har'a liphutheloana tsa tar le @npmcli/arborist, tse fanang ka mesebetsi ea ho sebetsa ka li-archives tsa tar le ho bala sefate sa ho itšetleha ho Node.js. Bofokoli bo lumella, ha ho notlolloa polokelong ea polokelo e entsoeng ka mokhoa o ikhethileng, ho ngola lifaele ka ntle ho bukana ea motso eo ho e phuthollang ho etsoang ho eona, ho ea kamoo litokelo tsa hona joale tsa phihlello li lumellang. Mathata a etsa hore ho khonehe ho hlophisa ts'ebetso ea khoutu e ikemetseng tsamaisong, mohlala, ka ho eketsa litaelo ho ~/.bashrc kapa ~/.profile ha opereishene e etsoa ke mosebelisi ea se nang tokelo, kapa ka ho fetola lifaele tsa sistimi ha e sebetsa joalo ka motso.
Kotsi ea bofokoli e mpefatsoa ke taba ea hore khoutu e nang le bothata e sebelisoa ho molaoli oa sephutheloana sa npm ha o etsa ts'ebetso ka liphutheloana tsa npm, e leng se etsang hore ho khonehe ho hlophisa tlhaselo ho basebelisi ka ho beha sephutheloana se ikhethileng sa npm sebakeng sa polokelo, ts'ebetso. eo e tla phethahatsa khoutu ea mohlaseli tsamaisong. Tlhaselo e ka etsahala le ha o kenya liphutheloana ka mokhoa oa "-ignore-scripts", e thibelang ho etsoa ha mangolo a hahiloeng. Ka kakaretso, npm e ama likotsi tse 'ne (CVE-2021-32804, CVE-2021-37713, CVE-2021-39134 le CVE-2021-39135) ho tse supileng. Mathata a mabeli a pele a ama sephutheloana sa tar, 'me a mabeli a setseng a ama sephutheloana sa @npmcli/arborist.
Kotsi e kotsi ka ho fetesisa, CVE-2021-32804, e bakoa ke taba ea hore ha ho hlakoloa litsela tse felletseng tse boletsoeng polokelong ea tar, litlhaku tse pheta-phetoang tsa "/" li sebetsoa ka mokhoa o fosahetseng - ho tlosoa sebapali sa pele, ha ba bang kaofela ba sala. Ka mohlala, tsela "/home/user/.bashrc" e tla fetoleloa ho "home/user/.bashrc" le tsela "//home/user/.bashrc" ho ea ho "/home/user/.bashrc". Kotsi ea bobeli, CVE-2021-37713, e hlaha feela sethaleng sa Windows mme e amahanngoa le ho hloekisoa ho fosahetseng ha litsela tse amanang tse kenyelletsang sebopeho sa drive se sa lekanyetsoang ("C: some\path") le tatellano ea ho khutlela bukeng e fetileng ( “C:../foo”) .
Vulnerabilities CVE-2021-39134 le CVE-2021-39135 li tobile ho @npmcli/arborist module. Bothata ba pele bo hlaha feela ho litsamaiso tse sa khetholleng taba ea litlhaku ho sistimi ea faele (macOS le Windows), mme e o lumella ho ngolla lifaele karolong e ikhethileng ea sistimi ea faele ka ho hlakisa li-module tse peli "foo" har'a litšepe. : "file:/some/path"' le 'FOO: "file:foo.tgz"', ts'ebetso ea eona e tla lebisa ho hlakoleng likahare tsa /some/path directory le ho ngola litaba tsa foo.tgz ho eona. Bothata ba bobeli bo lumella lifaele hore li hlakoloe ka ho qhekella ha lihokelo tsa tšoantšetso.
Bofokoli bo rarolloa ho Node.js tokollo 12.22.6 le 14.17.6, npm CLI 6.14.15 le 7.21.0, le ho lokolloa ha sephutheloana sa tar 4.4.19, 5.0.11, le 6.1.10. Kamora ho fumana tlhaiso-leseling e mabapi le bothata e le karolo ea "bug bounty", GitHub e ile ea lefa bafuputsi $14500 mme ea hlahloba litaba tsa polokelo, tse sa kang tsa senola boiteko ba ho sebelisa hampe bofokoli. Ho itšireletsa khahlanong le litaba tsena, GitHub e boetse e thibetse ho phatlalatsa liphutheloana tsa NPM tse kenyelletsang lihokelo tsa tšoantšetso, lihokelo tse thata, le litsela tse felletseng tsa polokelo.
Source: opennet.ru