Uluhlu lobuthathaka luye lwachongwa kwi-swhkd (i-Simple Wayland HotKey Daemon) ebangelwa ngumsebenzi ongachanekanga oneefayile zexeshana, iiparamitha zomgca womyalelo kunye nesokethi ze-Unix. Inkqubo ibhalwe kwi-Rust kwaye iphatha ucinezelo lwe-hotkey kwiimeko ezisekelwe kwi-Wayland protocol (i-analogue yoqwalaselo-ifayile-ehambelanayo yenkqubo ye-sxhkd esetyenziswa kwiimeko ezisekelwe kwi-X11).
Iphakheji iquka inkqubo ye-swhks engafanelekanga eyenza izenzo ze-hotkey, kunye nenkqubo ye-swhkd yangasemva eqhuba njengengcambu kwaye isebenzisana nezixhobo zokungenisa kwinqanaba le-API ye-uinput. Isokethi ye-Unix isetyenziselwa ukulungelelanisa unxibelelwano phakathi kwe-SWhks kunye ne-SWhkd. Ukusebenzisa imithetho yePolkit, nawuphi na umsebenzisi wasekhaya angaqhuba inkqubo ye/usr/bin/swhkd njengengcambu kwaye agqithise iparameters kuyo.
Ubuthathaka obuchongiweyo:
- I-CVE-2022-27815 - Ukugcina inkqubo ye-PID kwifayile enegama eliqikelelwayo kunye noluhlu olubhalwa ngabanye abasebenzisi (/tmp/swhkd.pid). Nawuphi na umsebenzisi unokwenza ifayile /tmp/swhkd.pid kwaye ubeke i-pid yenkqubo ekhoyo kuyo, eya kwenza ukuba i-swhkd ingakwazi ukuqala. Ukuba akukho khuselo ekudaleni amakhonkco omfuziselo kwi/tmp, ubuthathaka bunokusetyenziswa ukwenza okanye ukubhala ngaphezulu iifayile kulo naluphi na ulawulo lwenkqubo (i-PID ibhaliwe kwifayile) okanye ukumisela imixholo yayo nayiphi na ifayile kwindlela (swhkd ishicilela ifayile) imixholo epheleleyo yefayile yePID ukuya kwistdout). Kuyaphawuleka ukuba ukulungiswa okukhutshiweyo ifayile ye-PID ihanjiswe kungekhona kwi-/run directory, kodwa kwi-/etc directory (/etc/swhkd/runtime/swhkd_{uid}.pid), apho nayo ingekho.
- I-CVE-2022-27814 - Ngokusebenzisa "-c" ukhetho lomgca womyalelo osetyenziselwa ukucacisa ifayile yoqwalaselo, kunokwenzeka ukugqiba ubukho bayo nayiphi na ifayile kwisistim. Umzekelo, ukujonga / ingcambu/.somefile ungaqhuba “pkexec /usr/bin/swhkd -d -c /root/.somefile” kwaye ukuba ifayile ilahlekile, impazamo “/root/.somefile ayikho ” iza kuboniswa. Njengakwimeko yokuba sesichengeni sokuqala, ukulungisa ingxaki kuyadida - ukulungisa ingxaki kuhla kwinto yokuba into eluncedo yangaphandle “ikati” ('Umyalelo::intsha(“/umgqomo/ikati”)).arg(indlela) iqalisiwe ngoku ukufunda ifayile yoqwalaselo. output()').
- I-CVE-2022-27819 - Umba unxulumene nokusetyenziswa kokhetho "-c", olubangela ukuba yonke ifayile yoqwalaselo ilayishwe kwaye ihlulwe ngaphandle kokujonga ubungakanani kunye nohlobo lwefayile. Umzekelo, ukwenza ukwaliwa kwenkonzo ngokuphelelwa yinkumbulo ekhululekileyo kunye nokudala i-I/O yamanga, ungakhankanya isixhobo sokubhloka ekuqaleni ("pkexec /usr/bin/swhkd -d -c /dev/sda") okanye isixhobo soonobumba esivelisa uluhlu olungenasiphelo lwedatha . Ingxaki yasonjululwa ngokusetha kwakhona amalungelo ngaphambi kokuvula ifayile, kodwa ukulungiswa akuzange kugqitywe, ekubeni kuphela i-ID yomsebenzisi (i-UID) isetyenzisiwe, kodwa i-ID yeqela (GID) ihlala ifana.
- I-CVE-2022-27818 - I-socket ye-Unix yenziwe kusetyenziswa ifayile /tmp/swhkd.sock eyenziwe kuluhlu olubhaliweyo, olukhokelela kwimiba efana nokuba sesichengeni sokuqala (nawuphi na umsebenzisi angenza /tmp/swhkd.sock kwaye avelise okanye athintele Iziganeko zokucinezela isitshixo).
- I-CVE-2022-27817 - Iziganeko zokungeniswa ziyamkelwa kuzo zonke izixhobo nakuzo zonke iiseshoni, okt. umsebenzisi osuka kwenye iseshoni ye-Wayland okanye esuka kwikhonsoli inokuthintela imicimbi xa iihotkeys zicinezelwe ngabanye abasebenzisi.
- I-CVE-2022-27816 Inkqubo ye-swhks, njenge-swhkd, isebenzisa ifayile ye-PID /tmp/swhks.pid kwincwadi ebhaliweyo /tmp. Ingxaki iyafana nokuba sesichengeni sokuqala, kodwa ayinabungozi kuba i-SWhks isebenza phantsi komsebenzisi ongenalungelo.
umthombo: opennet.ru