Ubuthathaka (i-CVE-2018-25032) ichongiwe kwilayibrari ye-zlib, ekhokelela ekuphuphumeni kwe-buffer xa uzama ukucinezela ulandelelwano olulungiselelwe ngokukodwa lwabalinganiswa kwidatha engenayo. Kwimeko yangoku, abaphandi baye babonisa amandla okwenza inkqubo yokuphelisa ngokungaqhelekanga. Akukaphononongwa ukuba ingxaki inokuba neziphumo ezibi kakhulu kusini na.
Ubuthathaka bubonakala buqala kwi-version zlib 1.2.2.2 kwaye buchaphazela nokukhululwa kwangoku kwe-zlib 1.2.11. Kuyaphawuleka ukuba i-patch yokulungisa ubuthathaka yacetywayo emva kwe-2018, kodwa abaphuhlisi abazange banikele ingqalelo kuyo kwaye abazange bakhulule ukukhutshwa kokulungiswa (ilayibrari ye-zlib yagqitywa ukuhlaziywa kwi-2017). Ukulungiswa kwakhona akukabandakanywa kwiipakethi ezibonelelwa ngonikezelo. Unokulandelela ukupapashwa kwezilungiso ngokusasazwa kula maphepha: Debian, RHEL, Fedora, SUSE, Ubuntu, Arch Linux, OpenBSD, FreeBSD, NetBSD. Ithala leencwadi le-zlib-ng alichatshazelwa yingxaki.
Ukuba sesichengeni kwenzeka ukuba igalelo lomlambo liqulathe inani elikhulu leematshisi eziza kupakishwa, apho ukupakishwa kusetyenziswa ngokusekelwe kwiikhowudi zeHuffman ezizinzileyo. Phantsi kweemeko ezithile, imixholo yesithinteli esiphakathi apho isiphumo esicinezelweyo sibekwe khona sinokungena kwimemori apho isimboli yefrikhwensi yetafile igcinwa khona. Ngenxa yoko, kuveliswa idatha ecinezelweyo engachanekanga kwaye ingqubana ngenxa yokubhala ngaphandle komda we-buffer.
Ukuba sesichengeni kungasetyenziswa kuphela ngokusebenzisa iqhinga loxinzelelo olusekwe kwiikhowudi zeHuffman ezisisigxina. Isicwangciso esifanayo sikhethwa xa ukhetho lwe-Z_FIXED lwenziwe ngokucacileyo kwikhowudi (umzekelo wolandelelwano olukhokelela kwingozi xa usebenzisa i-Z_FIXED ukhetho). Ukuqwalasela ikhowudi, isicwangciso se-Z_FIXED sinokukhethwa ngokuzenzekelayo ukuba imithi efanelekileyo kunye ne-static ibalwe kwidatha inobukhulu obufanayo.
Akukacaci ukuba iimeko zokusebenzisa ukuba sesichengeni zingakhethwa kusetyenziswa iqhinga locinezelo le Z_DEFAULT_STRATEGY. Ukuba akunjalo, ngoko ke ukuba sesichengeni kuya kuthintelwa kwiinkqubo ezithile ezisebenzisa ngokucacileyo i-Z_FIXED ukhetho. Ukuba kunjalo, ngoko ke umonakalo ovela kubuthathaka unokubaluleka kakhulu, kuba ilayibrari ye-zlib ingumgangatho we-de facto kwaye isetyenziswa kwiiprojekthi ezininzi ezidumileyo, kuquka i-Linux kernel, i-OpenSSH, i-OpenSSL, apache httpd, libpng, FFmpeg, rsync, dpkg. , rpm, Git, PostgreSQL, MySQL, njl.
umthombo: opennet.ru