I-Ghostscript, isethi yezixhobo zokusebenza, ukuguqula kunye nokuvelisa amaxwebhu kwi-PostScript kunye neefomathi ze-PDF, inomngcipheko obalulekileyo (CVE-2021-3781) ovumela ukuphunyezwa kwekhowudi engafanelekanga xa kusetyenzwa ifayile efomatiweyo ngokukodwa. Ekuqaleni, ingxaki yaziswa ingqalelo ka-Emil Lerner, owathetha ngobuthathaka ngo-Agasti 25 kwinkomfa yeZeroNights X eyayibanjelwe eSt. ukufumana iibhonasi ngokubonisa uhlaselo kwiinkonzo AirBNB, Dropbox kunye Yandex.Real Estate).
Ngomhla we-5 kaSeptemba, i-exploit esebenzayo ibonakala kwindawo yoluntu evumela ukuba uhlasele iinkqubo eziqhuba Ubuntu 20.04 ngokuhambisa uxwebhu olulungiselelwe ngokukodwa olulayishwe njengomfanekiso kwiskripthi sewebhu esisebenza kumncedisi usebenzisa iphakheji ye-php-imagemagick. Ngaphezu koko, ngokweenkcukacha zokuqala, ukuxhaphazwa okufanayo kuye kwasetyenziswa ukususela ngoMatshi. Kwabangwa ukuba iinkqubo eziqhuba i-GhostScript 9.50 zinokuhlaselwa, kodwa kwavela ukuba umngcipheko wawukho kuzo zonke iinguqulelo ezilandelayo ze-GhostScript, kubandakanya nophuhliso lwe-9.55 lokukhululwa kwi-Git.
Ukulungiswa kwacetywa ngoSeptemba 8th kwaye, emva kokuphononongwa koontanga, kwamkelwa kwindawo yokugcina i-GhostScript ngoSeptemba 9th. Kwiindawo ezininzi zokusasazwa, ingxaki ihlala ingalungiswanga (imeko yokupapashwa kwezihlaziyo inokubonwa kumaphepha eDebian, Ubuntu, Fedora, SUSE, RHEL, Arch Linux, FreeBSD, NetBSD). Ukukhutshwa kwe-GhostScript kunye nokulungiswa kobuthathaka kucwangciswe ukupapashwa phambi kokuphela kwenyanga.
Ingxaki ibangelwa kukuba nokwenzeka kokugqitha i-"-dSAFER" imo yokwahlula ngenxa yokungajongi ngokwaneleyo kweeparamitha zesixhobo se-Postscript "% pipe%", evumele ukuphunyezwa kwemiyalelo yeqokobhe elingenasizathu. Umzekelo, ukusungula into eluncedo ye-id kuxwebhu, khankanya nje umgca β(% pipe%/tmp/&id)(w)fileβ okanye β(%pipe%/tmp/;id)(r)fileβ.
Masikukhumbuze ukuba ubuthathaka kwi-Ghostscript kubangela ingozi eyongeziweyo, kuba le phakheji isetyenziswa kwizicelo ezininzi ezidumileyo zokusetyenzwa kwePostScript kunye neefomathi zePDF. Umzekelo, i-Ghostscript ibizwa ngexesha lokudalwa kwe-thumbnail ye-desktop, isalathisi sedatha yangasemva, kunye nokuguqulwa komfanekiso. Kuhlaselo oluyimpumelelo, kwiimeko ezininzi kwanele ukukhuphela ngokulula ifayile nge-exploit okanye ukujonga ulawulo ngayo kumphathi wefayile oxhasa ukubonisa i thumbnails yoxwebhu, umzekelo, kwiNautilus.
Ubuthathaka kwi-Ghostscript bunokuxhatshazwa ngabaqhubekekisi bemifanekiso esekwe kwi-ImageMagick kunye neepakethe ze-GraphicsMagick ngokugqithisela iJPEG okanye ifayile ye-PNG equlathe ikhowudi ye-PostScript endaweni yomfanekiso (ifayile elolu hlobo iya kucutshungulwa kwi-Ghostscript, ekubeni udidi lwe-MIME lubonwa yi umxholo, kwaye ngaphandle kokuxhomekeka ekwandisweni).
umthombo: opennet.ru