Ubuthathaka (CVE-2022-21658) ichongiwe kwilayibrari esemgangathweni ye-Rust ngenxa yemeko yogqatso kwi-std::fs::remove_dir_all() umsebenzi. Ukuba lo msebenzi usetyenziselwa ukucima iifayile zexeshana kwisicelo esinelungelo, umhlaseli angafikelela ekucinyweni kweefayile zesixokelelwano esingenasizathu kunye nolawulo umhlaseli angayi kuba nofikelelo lokulucima.
Ukuba sesichengeni kubangelwa kukuphunyezwa ngendlela engachanekanga yokujonga amakhonkco omfuziselo phambi kokucima ngokuphindaphindiweyo abalawuli. Endaweni yokuthintela ii-symlinks ukuba zingalandelwa, susa_dir_all() kuqala jonga ukuba ingaba ifayile yi-symlink. Ukuba ikhonkco ichaziwe, ngoko iyacinywa njengefayile, kwaye ukuba isalathiso, emva koko umsebenzi wokuphinda ususwe umxholo ubizwa. Ingxaki kukuba kukho ukulibaziseka okuncinci phakathi kwetshekhi kunye nokuqala komsebenzi wokucima.
Ngexesha apho itshekhi sele iqhutywe, kodwa ukusebenza kwee-directory zokucima ukucima akukaqalisi, umhlaseli unokutshintsha indawo yolawulo ngeefayile zesikhashana kunye nekhonkco elingumqondiso. Ukuba ibetha ngexesha elifanelekileyo, i-remove_dir_all () umsebenzi uya kuphatha ikhonkco lokomfuziselo njengoluhlu kwaye iqalise ukususa umxholo apho ikhonkco likhomba khona. Ngaphandle kwenyani yokuba impumelelo yohlaselo ixhomekeke ekuchanekeni kwexesha elikhethiweyo lokutshintsha ulawulo kunye nokubetha umzuzu ochanekileyo okokuqala akunakwenzeka, ngexesha lovavanyo abaphandi bakwazi ukuphumeza uhlaselo oluphindiweyo oluyimpumelelo emva kokuphumeza ukuxhaphaza ngaphakathi. imizuzwana embalwa.
Zonke iinguqulelo zeRust ukusuka kwi-1.0.0 ukuya kwi-1.58.0 edibeneyo zichaphazelekayo. Umba uxazululwe kwifom ye-patch okwangoku (ukulungiswa kuya kufakwa kwi-1.58.1 ukukhululwa, okulindeleke kwiiyure ezimbalwa). Unokubeka iliso ekuphelisweni kobuthathaka kunikezelo kula maphepha: Debian, RHEL, SUSE, Fedora, Ubuntu, Arch, FreeBSD. Bonke abasebenzisi beenkqubo zeRust ezisebenza ngamalungelo aphakamileyo kwaye zisebenzisa i-remove_dir_all umsebenzi bayacetyiswa ukuba bahlaziye ngokukhawuleza iRust kwinguqulo 1.58.1. Kuyathakazelisa ukuba ipatch ekhutshiweyo ayizisombululi ingxaki kuzo zonke iinkqubo; umzekelo, kwiREDOX OS kunye neenguqulelo ze-macOS ngaphambi kwe-10.10 (Yosemite), ubuthathaka abuvalwanga ngenxa yokungabikho kweflegi ye-O_NOFOLLOW, ekhubaza ukulandela okungokomfuziselo. amakhonkco.
umthombo: opennet.ru