I-GitHub iveze iinkcukacha zobuthathaka obusixhenxe kwi-tar kunye ne-@npmcli/arborist packages, ebonelela ngemisebenzi yokusebenza ngogcino lwetar kunye nokubala umthi wokuxhomekeka kwi-Node.js. Ubuthathaka buvumela, xa ukhulula ugcino oluyilwe ngokukodwa, ukubhala ngaphezulu kweefayile ngaphandle kolawulo lweengcambu apho ukukhutshwa kuqhutywa khona, kangangoko amalungelo ofikelelo angoku avumela. Iingxaki zenza kube lula ukuququzelela ukuphunyezwa kwekhowudi engenamkhethe kwindlela, umzekelo, ngokongeza imiyalelo kwi ~/.bashrc okanye ~/.profile xa umsebenzi wenziwa ngumsebenzisi ongenanto, okanye ngokususa iifayile zendlela xa uqhuba njenge ingcambu.
Ingozi yobuthathaka yenziwa mandundu yinto yokuba ikhowudi eyingxaki isetyenziswa kumphathi wepakethe ye-npm xa kusenziwa imisebenzi ngeepakethi ze-npm, okwenza kube lula ukuququzelela uhlaselo kubasebenzisi ngokubeka iphakheji ye-npm eyilwe ngokukodwa kwindawo yokugcina, ukusetyenzwa. apho iyakwenza ikhowudi yomhlaseli kwinkqubo. Uhlaselo lunokwenzeka naxa ufaka iipakethe kwimodi ye-"-ignore-scripts", ekhubaza ukuphunyezwa kwezikripthi ezakhelwe ngaphakathi. Lilonke, i-npm ichaphazela ubuthathaka obune (CVE-2021-32804, CVE-2021-37713, CVE-2021-39134 kunye ne-CVE-2021-39135) kwezisixhenxe. Iingxaki ezimbini zokuqala zichaphazela iphakheji yetar, kwaye ezimbini ezishiyekileyo zichaphazela iphakheji ye-@npmcli/arborist.
Eyona nto inobungozi obunobungozi, i-CVE-2021-32804, ibangelwa kukuba xa ucoca iindlela ezicacileyo ezichazwe kwindawo yokugcina i-tar, iimpawu eziphindaphindiweyo "/" zicutshungulwa ngendlela engafanelekanga-kuphela kweempawu zokuqala ezisusiweyo, ngelixa ezinye zishiywe. Umzekelo, indlela "/ikhaya/umsebenzisi/.bashrc" iya kuguqulwa ibe "kwikhaya/umsebenzisi/.bashrc" kunye nendlela "//home/user/.bashrc" ukuya "/home/user/.bashrc". Ubuthathaka besibini, i-CVE-2021-37713, ibonakala kuphela kwiqonga leWindows kwaye inxulunyaniswa nokucocwa ngendlela engalunganga kweendlela ezihambelanayo ezibandakanya umlinganiswa ongenamkhawulo wedrayivu ("C: enye\indlela") kunye nolandelelwano lokubuyela kulawulo lwangaphambili ( βC:../fooβ) .
Ubuthathaka be-CVE-2021-39134 kunye ne-CVE-2021-39135 zithe ngqo kwimodyuli ye-@npmcli/arborist. Ingxaki yokuqala ibonakala kuphela kwiinkqubo ezingahluliyo imeko yabalinganiswa kwinkqubo yefayile (i-macOS kunye neWindows), kwaye ikuvumela ukuba ubhale iifayile kwindawo engafanelekanga yenkqubo yefayile ngokukhankanya iimodyuli ezimbini '"foo" phakathi kokuxhomekeka. : "ifayile:/some/path"' kunye ne ' FOO: "file:foo.tgz"', ukuqhubekekiswa okuya kukhokelela ekucinyweni kwemixholo yovimba we/some/wendlela kunye nokubhala imixholo ye foo.tgz kuyo. Ingxaki yesibini ivumela iifayile ukuba zibhalwe ngaphezulu ngokuguqulwa kwekhonkco lomfuziselo.
Ubuthathaka busonjululwe kwi-Node.js ikhupha i-12.22.6 kunye ne-14.17.6, i-npm CLI 6.14.15 kunye ne-7.21.0, kunye ne-tar package nganye ikhupha i-4.4.19, 5.0.11, kunye ne-6.1.10. Emva kokufumana ulwazi malunga nengxaki njengenxalenye yenyathelo le "bug bounty", iGitHub yahlawula abaphandi i-14500 yeedola kwaye yaskena imixholo yendawo yokugcina, engakhange iveze iinzame zokusebenzisa ubuthathaka. Ukukhusela kule miba, i-GitHub ikwayekile ukupapasha iipakethi ze-NPM ezibandakanya amakhonkco omfuziselo, amakhonkco aqinileyo, kunye neendlela ezigqibeleleyo eziya kwindawo yokugcina.
umthombo: opennet.ru