UQualys uchonge ubuthathaka (CVE-2026-3888) kwi-snap-confine kunye ne-systemd-tmpfiles bundle e-Ubuntu, evumela umsebenzisi ongenamalungelo ukuba afumane ukufikelela kwi-root system. Le ngxaki izibonakalisa kuqwalaselo oluqhelekileyo lwe-Ubuntu oluqala ngokukhululwa kwe-24.04. Ku-Ubuntu 16.04-22.04, ubuthathaka bunokusetyenziswa kwiindlela ezingezizo ezisemgangathweni ezilinganisa ukuziphatha kweenguqulelo ezintsha zosasazo. Ulungiso lwe-Ubuntu lufumaneka kuhlaziyo lwephakheji ye-snapd izolo. Le ngxaki ilungisiwe kuhlaziyo lwe-snapd 2.75.
Ubuthathaka buvela ngenxa yokusebenzisana okungachanekanga phakathi kwezixhobo ze-snap-confine kunye ne-systemd-tmpfiles, zombini zisebenza ngamalungelo aphezulu. I-Snap-confine idala indawo ye-sandbox yokusebenzisa usetyenziso lwe-snap, ngelixa i-systemd-tmpfiles icoca ngokuzenzekelayo iifayile zexeshana kunye nee-directory. Ngokuzenzekelayo, i-systemd-tmpfiles yenzelwe ukucima zonke iifayile ezindala kunye nee-directory kwi-/tmp, ezinokusetyenziswa ngumhlaseli ukutshintsha i-directory ye-/tmp/.snap emva kokuba isusiwe yi-systemd-tmpfiles kodwa ngaphambi kokuba iphinde yenziwe yi-snap-confine.
Olu hlaselo luquka ukulinda inkqubo yokucoca iifayile yexeshana ukuba iqale, ukutshintsha i-/tmp/.snap directory emva kokuba isusiwe, kunye nokubeka ikopi eguquliweyo yeelayibrari kwi-/tmp/.snap/usr/lib/x86_64-linux-gnu.exchange. Umhlaseli usenokufuneka alinde iintsuku ezininzi ukuze ii-systemd-tmpfiles ziqale, njengoko inkqubo yokucoca isebenza rhoqo emva kweentsuku ezili-10 kwi-Ubuntu 24.04, kwaye rhoqo emva kweentsuku ezingama-30 kwiinguqulelo ezintsha. Emva kokutshintsha i-directory, umhlaseli uqalisa indawo entsha ye-sandbox esebenzisa i-snap-confine.
Ngelixa esakha i-payload yendawo yesanti kwi-okwethutyana ye-/tmp/.snap, umhlaseli ulinda ixesha elifanelekileyo aze atshintshe igama elithi /tmp/.snap/usr/lib/x86_64-linux-gnu.exchange abe yi-/tmp/.snap/usr/lib/x86_64-linux-gnu, ngaloo ndlela ethatha indawo yamathala eencwadi kwaye aqinisekise ukuba i-bind mounting yawo ine-root privileges. Oku kunika umhlaseli ulawulo phezu kwamathala eencwadi abiweyo kunye ne-ld.so loader esebenza kwindawo ye-snap sandbox kwaye ibavumela ukuba basebenzise ikhowudi engenamkhethe enamalungelo eengcambu ngokusebenzisa nayiphi na inkqubo ye-suid esebenzisa i-dynamic linking.
Ngokufikelela kwiingcambu kwindawo yesanti ehlukaniswe yi-AppArmor kunye nesihluzi senkqubo esisekelwe kwi-seccomp, umhlaseli unokukopa i-/bin/bash kwi-directory ye-/var/snap/$SNAP/common/ aze amisele iimvume zayo kwi-"04755" (i-suid root). Nangona iimvume zitshintshiwe kwindawo yesanti, ifayile eneemvume ezitshintshiweyo ikwafumaneka kwinkqubo ye-host. Ke ngoko, ukuze ufumane ukufikelela kwiingcambu ngokupheleleyo, sebenzisa nje i-/var/snap/<snap_package_name>/common/bash njengomsebenzisi oqhelekileyo, ongenamalungelo kwi-system emiselweyo.
Kukwafunyenwe ubuthathaka kwi-toolchain ye-uutils coreutils (Rust Coreutils), into efana ne-Rust kwiphakheji ye-GNU Coreutils. Ubuthathaka buvumela umsebenzisi ongenamalungelo ukuba afumane amalungelo eengcambu. Le ngxaki yafunyanwa ngexesha lotshintsho lwe-Ubuntu 25.10 kwaye yasonjululwa ngesisombululo ngaphambi kokukhululwa kwe-Ubuntu 25.10 ngokusasaza i-/usr/bin/gnurm endaweni ye-uutils rm. Le ngxaki yalungiswa kwi-uutils coreutils 0.3.0 kwiphakheji, ngaphandle kokuphawula ukunciphisa ubuthathaka kwi-changelog (kwaphawulwa ukuba i-rm, i-du, i-chmod, kunye ne-chgrp zisebenzise indlela ekhuselekileyo yokuhamba endleleni).
Le ngxaki ibangelwa yimeko yobuhlanga kwisixhobo "se-rm", esivumela umsebenzisi wasekuhlaleni ukuba atshintshe umxholo wesikhombisi ngekhonkco elinophawu xa ecima ifayile elawulwa ngumsebenzisi esebenzisa inkqubo "ye-rm" enamalungelo eengcambu. Phakathi kwezinye izinto, ubuthathaka bunokusetyenziswa ngokusebenzisa iskripthi se-/etc/cron.daily/apport imihla ngemihla kwi-cron. Esi sikripthi, esiqhutywa ngamalungelo eengcambu, siphinda sicime umxholo wesikhombisi se-/var/crash, esibhalwa ngabo bonke abasebenzisi abakwinkqubo.
Xa ucima ii-directory ngokuphindaphindiweyo, i-rm utility iqala ngokuskena zonke ii-directory ize izicime ngokulandelelana ngokubiza umsebenzi we-rmdir(). Ukuba i-parent directory ithathelwa indawo yi-symbol link kwangoko emva kokuskena loo directory kodwa ngaphambi kokuskena ii-child directors zayo, umsebenzi uya kubangela ukuba kucinywe i-directory ekhonjwe yi-symbol link. Oku kuvumela kungekuphela nje ukususwa kwayo nayiphi na ifayile kwinkqubo kodwa kunye nokunyusa ilungelo ngokususa i-/tmp/snap-private-tmp/$SNAP/tmp/.snap directory ukuze ithathe indawo yemixholo yendawo ye-sandbox yephakheji ye-snap (indlela yokufumana iingcambu ifana nobuthathaka bokuqala).
umthombo: opennet.ru
