Ukuba sengozini (CVE-2022-21658) kukhonjwe kulabhulali ejwayelekile ye-Rust ngenxa yesimo somjaho kumsebenzi othi std::fs::remove_dir_all() . Uma lo msebenzi usetshenziselwa ukususa amafayela esikhashana kuhlelo lokusebenza olukhethekile, umhlaseli angakwazi ukufeza ukususwa kwamafayela esistimu nohlu lwemibhalo umhlaseli ngokuvamile abengeke abe nokufinyelela ukuze alususe.
Ukuba sengozini kubangelwa ukuqaliswa okungalungile kokuhlola izixhumanisi ezingokomfanekiso ngaphambi kokususa ngokuphindiwe uhla lwemibhalo. Esikhundleni sokuvimbela ama-symlink ukuthi angalandelwa, susa_dir_all() qala ngokuhlola ukuze ubone ukuthi ifayela liyi-symlink. Uma isixhumanisi sichazwa, siyasuswa njengefayela, futhi uma siwuhla lwemibhalo, kusho ukuthi umsebenzi wokuphinda ukhiphe okuqukethwe kubizwa. Inkinga ukuthi kukhona ukubambezeleka okuncane phakathi kwesheke kanye nokuqala komsebenzi wokususa.
Ngesikhathi lapho ukuhlola sekuvele kwenziwa, kodwa ukusebenza kwezinkomba zokususwa akukakaqali, umhlaseli angashintsha uhla lwemibhalo ngamafayela esikhashana anesixhumanisi esingokomfanekiso. Uma ifika ngesikhathi esifanele, umsebenzi we-remove_dir_all() uzophatha isixhumanisi esingokomfanekiso njengohla lwemibhalo bese iqala ukususa okuqukethwe isixhumanisi esikhomba kukho. Ngaphandle kweqiniso lokuthi impumelelo yokuhlasela incike ekunembeni kwesikhathi esikhethiwe sokushintsha umkhombandlela futhi ukushaya isikhathi esifanele okokuqala kungenzeki, ngesikhathi sokuhlolwa abacwaningi bakwazi ukuzuza ukuhlasela okuphindaphindekayo okuphumelelayo ngemva kokwenza ukuxhashazwa ngaphakathi. imizuzwana embalwa.
Zonke izinguqulo ze-Rust kusuka ku-1.0.0 kuye ku-1.58.0 zihlangene ziyathinteka. Udaba seluxazululwe ngendlela yokuchibiyela okwamanje (ukulungisa kuzofakwa ekukhishweni kwe-1.58.1, okulindeleke emahoreni ambalwa). Ungakwazi ukwengamela ukuqedwa kokuba sengozini ekusabalaliseni kulawa makhasi: I-Debian, RHEL, SUSE, Fedora, Ubuntu, Arch, FreeBSD. Bonke abasebenzisi bezinhlelo ze-Rust ezisebenza ngamalungelo aphakeme futhi besebenzisa umsebenzi we-remove_dir_all bayelulekwa ukuthi babuyekeze ngokuphuthumayo i-Rust ibe yinguqulo engu-1.58.1. Kuyathakazelisa ukuthi isiqeshana esikhishiwe asiyixazululi inkinga kuwo wonke amasistimu; ngokwesibonelo, kuREDOX OS nezinguqulo ze-macOS ngaphambi kuka-10.10 (Yosemite), ubungozi abuvinjwa ngenxa yokungabikho kwefulegi le-O_NOFOLLOW, elikhubaza ukulandela okungokomfanekiso. izixhumanisi.
Source: opennet.ru