Ulwazi luye lwadalulwa mayelana nokuba sengozini okubili ku-bootloader ye-GRUB2, okungaholela ekusebenziseni amakhodi lapho usebenzisa amafonti aklanywe ngokukhethekile futhi ucubungula ukulandelana okuthile kwe-Unicode. Ubungozi bungasetshenziswa ukudlula indlela yokuqalisa eqinisekisiwe ye-UEFI Secure Boot.
Ubungozi obuhlonziwe:
- I-CVE-2022-2601 - Ukuchichima kwebhafa kumsebenzi we-grub_font_construct_glyph() lapho kucutshungulwa amafonti aklanywe ngokukhethekile ngefomethi ye-pf2, okwenzeka ngenxa yokubala okungalungile kwepharamitha ye-max_glyph_size kanye nokwabiwa kwendawo yenkumbulo ngokusobala encane kunesidingo faka ama-glyphs.
- I-CVE-2022-3775 Ukubhala okungaphandle kwemingcele kwenzeka lapho kunikezwa ukulandelana okuthile kwe-Unicode ngefonti enesitayela esikhethekile. Inkinga isekhodini yokucubungula ifonti futhi ibangelwa ukuntuleka kokuhlola okufanele ukuze kuqinisekiswe ukuthi ububanzi nokuphakama kweglyph kufana nosayizi we-bitmap etholakalayo. Umhlaseli angakwazi ukwenza okokufaka ngendlela yokuthi abangele ukuthi umsila wedatha ubhalwe ngaphandle kwebhafa eyabelwe. Kuyaphawulwa ukuthi naphezu kobunzima bokuxhaphaza ubungozi, ukuletha inkinga ekusebenzeni kwekhodi akushiywa ngaphandle.
Ukulungiswa kushicilelwe njengepheshi. Isimo sokuqeda ubungozi ekusabalaliseni singahlolwa kulawa makhasi: Ubuntu, SUSE, RHEL, Fedora, Debian. Ukulungisa izinkinga ku-GRUB2, akwanele nje ukubuyekeza iphakheji; uzodinga futhi ukukhiqiza amasiginesha edijithali amasha angaphakathi futhi ubuyekeze izifaki, ama-bootloader, amaphakheji e-kernel, i-fwupd firmware kanye nongqimba lwe-shim.
Ukusabalalisa okuningi kwe-Linux kusebenzisa ungqimba oluncane lwe-shim olusayinwe ngedijithali yi-Microsoft ukuze kuqaliswe ukuqinisekiswa kumodi ye-UEFI Secure Boot. Lesi sendlalelo siqinisekisa i-GRUB2 ngesitifiketi sayo, esivumela abathuthukisi bokusabalalisa ukuthi bangabi nayo yonke i-kernel nesibuyekezo se-GRUB esigunyazwe yi-Microsoft. Ubungozi ku-GRUB2 bukuvumela ukuthi ufeze ukusetshenziswa kwekhodi yakho esiteji ngemva kokuqinisekiswa okuyimpumelelo kwe-shim, kodwa ngaphambi kokulayisha isistimu yokusebenza, ukungena ochungechungeni lokwethembana lapho Imodi Yokuqalisa Okuvikelekile isebenza futhi uthola ukulawula okugcwele phezu kwenqubo yokuqalisa eyengeziwe, okuhlanganisa. ukulayisha enye i-OS, ukulungisa isistimu yezingxenye zesistimu yokusebenza nokudlula ukuvikela kwe-Lockdown.
Ukuze uvimbele ukuba sengozini ngaphandle kokuhoxisa isiginesha yedijithali, ukusabalalisa kungasebenzisa indlela ye-SBAT (UEFI Secure Boot Advanced Targeting), esekelwa i-GRUB2, shim kanye ne-fwupd ekusatshalalisweni kwe-Linux ethandwa kakhulu. I-SBAT yathuthukiswa ngokuhlanganyela ne-Microsoft futhi ihilela ukwengeza imethadatha eyengeziwe kumafayela asebenzisekayo ezingxenye ze-UEFI, okuhlanganisa ulwazi mayelana nomkhiqizi, umkhiqizo, ingxenye kanye nenguqulo. Imethadatha eshiwo iqinisekiswa ngesiginesha yedijithali futhi ingafakwa ngokuhlukile ohlwini lwezingxenye ezivunyelwe noma ezivinjelwe ze-UEFI Secure Boot.
I-SBAT ikuvumela ukuthi uvimbe ukusetshenziswa kwesiginesha edijithali yezinombolo zenguqulo yengxenye ngayinye ngaphandle kokuthi uhoxise okhiye be-Secure Boot. Ukuvimbela ubungozi nge-SBAT akudingi ukusetshenziswa kohlu lokuhoxiswa kwesitifiketi se-UEFI (dbx), kodwa kwenziwa ezingeni lokushintsha ukhiye wangaphakathi ukuze kukhiqizwe amasiginesha nokubuyekeza i-GRUB2, i-shim namanye ama-artifact e-boot anikezwa ukusatshalaliswa. Ngaphambi kokwethulwa kwe-SBAT, ukubuyekeza uhlu lokuhoxiswa kwesitifiketi (dbx, Uhlu Lokuhoxiswa kwe-UEFI) kwakuyimfuneko yokuvimbela ngokuphelele ukuba sengozini, njengoba umhlaseli, kungakhathaliseki uhlelo lokusebenza olusetshenzisiwe, angasebenzisa imidiya ebhuthayo enenguqulo endala esengozini ye-GRUB2, kugunyazwe isiginesha yedijithali, ukufaka engozini i-UEFI Secure Boot .
Source: opennet.ru