Iphakheji ye-ImageMagick, ehlala isetyenziswa ngabaphuhlisi bewebhu ukuguqula imifanekiso, inomngcipheko we-CVE-2022-44268, onokubangela ukuvuza komxholo wefayile ukuba imifanekiso ye-PNG elungiselelwe umhlaseli iguqulwa kusetyenziswa i-ImageMagick. Ubuthathaka buchaphazela iinkqubo ezenza imifanekiso yangaphandle kwaye emva koko zivumele iziphumo zokuguqulwa zilayishwe.
Ubuthathaka bubangelwa yinto yokuba xa i-ImageMagick isebenza ngomfanekiso we-PNG, isebenzisa imixholo ye "profile" parameter ukusuka kwibhloko yemethadatha ukumisela igama lefayile yeprofayili, efakwe kwifayile yesiphumo. Ngaloo ndlela, kuhlaselo, kwanele ukongeza iparameter "yeprofayile" kunye nendlela yefayile efunekayo kumfanekiso wePNG (umzekelo, "/etc/passwd") kwaye xa ulungisa umfanekiso onjalo, umzekelo, xa uguqula umfanekiso. , imixholo yefayile efunekayo iya kufakwa kwifayile yemveliso . Ukuba ukhankanya "-" endaweni yegama lefayile, umphathiswa uya kuxhoma elinde igalelo ukusuka kumjelo oqhelekileyo, ongasetyenziselwa ukubangela ukukhanyela inkonzo (CVE-2022-44267).
Uhlaziyo lokulungisa ukuba sesichengeni akukakhululwa, kodwa abaphuhlisi be-ImageMagick bacebise ukuba njengendlela yokusebenza ukuthintela ukuvuza, yenza umthetho kwizicwangciso ezithintela ukufikelela kwiindlela ezithile zefayile. Umzekelo, ukwala ukufikelela ngendlela egqibeleleyo nezizalanayo, unokongeza oku kulandelayo kwipolisi.xml:
Isikripthi sokwenza imifanekiso yePNG exhaphaza ukuba sesichengeni sele sikhona esidlangalaleni.
umthombo: opennet.ru
