UDaniel Stenberg, umbhali womsebenzi wokufumana kunye nokuthumela idatha kwi-curl yenethiwekhi, ugxeke ukusetyenziswa kwezixhobo ze-AI xa udala iingxelo zobuthathaka. Iingxelo ezinjalo ziquka iinkcukacha ezicacileyo, zibhalwe ngolwimi oluqhelekileyo kwaye zibukeka ziphezulu, kodwa ngaphandle kokuhlalutya okucingayo ngokwenene ziyakwazi ukudukisa kuphela, zitshintshe iingxaki zangempela kunye nomxholo ophezulu wokujonga inkunkuma.
Iprojekthi ye-Curl ihlawula umvuzo ngokuchonga ubuthathaka obutsha kwaye sele ifumene iingxelo ezingama-415 zeengxaki ezinokwenzeka, apho zingama-64 kuphela eziye zaqinisekiswa njengezibuthathaka kunye nama-77 njengeentsholongwane ezingezizo ezokhuseleko. Ngaloo ndlela, i-66% yazo zonke iingxelo zazingenalo naluphi na ulwazi oluluncedo kwaye zithatha kuphela ixesha kubaphuhlisi ababenokuchithwa kwinto eluncedo.
Abaphuhlisi baphoqeleka ukuba bachithe ixesha elininzi lokuhlaziya iingxelo ezingenamsebenzi kunye nokuhlola kabini ulwazi oluqulethwe apho amaxesha amaninzi, ekubeni umgangatho wangaphandle woyilo udala ukuzithemba okongeziweyo kulwazi kwaye kukho imvakalelo yokuba umphuhlisi akayiqondi into ethile. Kwelinye icala, ukuvelisa ingxelo enjalo kufuna umgudu omncinci kumfaki-sicelo, ongazikhathaziyo ngokujonga ingxaki yokwenyani, kodwa ukhuphela ngokulula idatha efunyenwe kubancedisi be-AI, enethemba lethamsanqa kumzabalazo wokufumana umvuzo.
Imizekelo emibini yeengxelo ezinjalo zenkunkuma zinikiwe. Ngomhla ngaphambi kokubhengezwa okucwangcisiweyo kolwazi malunga nomngcipheko onobungozi ka-Oktobha (CVE-2023-38545), ingxelo yathunyelwa ngeHackerone ukuba isiqwenga esinokulungiswa siye safumaneka esidlangalaleni. Ngapha koko, ingxelo iqulethe umxube weenyani malunga neengxaki ezifanayo kunye neziqwengana zolwazi oluneenkcukacha malunga nobuthathaka obudlulileyo obuhlanganiswe ngumncedisi kaGoogle we-AI uBard. Ngenxa yoko, ulwazi lwalubukeka lutsha kwaye lufanelekile, kwaye alunanxibelelwano nenyani.
Umzekelo wesibini uphathelene nomyalezo ofunyenwe ngoDisemba 28 malunga nokuphuphuma kwe-buffer kwi-WebSocket handler, ethunyelwe ngumsebenzisi oye wazisa iiprojekthi ezahlukeneyo malunga nobuthathaka ngeHackerone. Njengendlela yokuvelisa kwakhona ingxaki, ingxelo iquke amagama ngokubanzi malunga nokudlulisa isicelo esilungisiweyo esinexabiso elikhulu kunobukhulu besithinteli esisetyenziswa xa kukotshwa nge-strcpy. Ingxelo iphinde inike umzekelo wokulungiswa (umzekelo wokutshintsha i-strcpy nge-strncpy) kwaye ibonise ikhonkco kumgca wekhowudi "strcpy(keyval, randstr)", leyo, ngokutsho komfaki-sicelo, iqulethe impazamo.
Umphuhlisi uhlolisise yonke into kathathu kwaye akazange afumane naziphi na iingxaki, kodwa ekubeni ingxelo ibhaliwe ngokuzithemba kwaye iqulethe ukulungiswa, kwakukho ukuvakalelwa kukuba kukho into elahlekileyo kwindawo ethile. Umzamo wokucacisa ukuba umphandi wakwazi njani ukudlula ubungakanani obucacileyo obukhoyo phambi komnxeba we-strcpy kunye nendlela ubungakanani be-keyval buffer bube bungaphantsi kobungakanani bedatha efundiweyo ekhokelela kwingcaciso, kodwa ingathwali ulwazi olongezelelweyo, iinkcazo. ehlafuna kuphela izizathu eziqhelekileyo zokuphuphuma kwe-buffer ezinganxulumananga nekhowudi ethile ye-Curl. Iimpendulo zazisikhumbuza ukunxibelelana nomncedisi we-AI, kwaye emva kokuchitha isiqingatha sosuku kwiinzame ezingenamsebenzi zokufumana ngokuthe ngqo indlela ingxaki ezibonakalisa ngayo, umphuhlisi ekugqibeleni waqiniseka ukuba akukho mngcipheko.
umthombo: opennet.ru