I-Qualys ithole ubuthakathaka besithathu obubalulekile kulo nyaka (i-CVE-2022-3328) ku-utility ye-snap-confine, ethunyelwa nefulegi lempande le-SUID futhi ebizwa yinqubo ye-snapd ukudala indawo esebenzisekayo yezinhlelo zokusebenza ezisatshalaliswa kumaphakheji we-snap azimele. Ubuthakathaka buvumela umsebenzisi wendawo, ongenamalungelo okusebenzisa ikhodi enamalungelo empande ngaphakathi kokucushwa. Ubuntu ngokuzenzakalelayo. Inkinga ilungisiwe ku-snapd 2.57.6. Izibuyekezo zephakheji zikhishwe kuwo wonke amagatsha asekelwayo. Ubuntu.
Ngokuthakazelisayo, ubuthakathaka okukhulunywa ngabo buqalwe ngesikhathi senqubo yokulungisa ubuthakathaka obufanayo bukaFebhuwari ku-snap-confine. Abacwaningi bakwazile ukulungiselela umsebenzi osebenzayo ohlinzeka ngokufinyelela kwezimpande ku Ubuntu Iseva 22.04, ngaphezu kokuba sengozini kwe-snap-confine, ihlanganisa futhi ubuthakathaka obubili enqubweni ye-multipathd (CVE-2022-41974, CVE-2022-41973) ehlobene nokweqa ukuhlolwa kwemvume lapho kudluliswa imiyalo enelungelo kanye nokuphathwa okungaphephile kwezixhumanisi ezingokomfanekiso.
Ukuba sengozini ku-snap-confine kubangelwa isimo somjaho kumsebenzi we- must_mkdir_and_open_with_perms(), owengezwe ukuze kuvinjelwe uhla lwemibhalo /tmp/snap.$SNAP_NAME ekubeni luthathelwe indawo isixhumanisi esingokomfanekiso ngemva kokuthi ubunikazi buhloliwe kodwa ngaphambi kokuthi ikholi yesistimu yokukhweza ibizwe ukuze ihlanganise uhla lwemibhalo lwe-snap. Isivikelo esengeziwe sasihlanganisa ukuqamba kabusha /tmp/snap.$SNAP_NAME inkomba kolunye uhla lwemibhalo ku-/tmp enegama elingahleliwe uma belikhona futhi bekungeyena umnikazi wempande.
Ngokuxhaphaza /tmp/snap.$SNAP_NAME ukusebenza kokuqamba kabusha uhla lwemibhalo, abacwaningi basebenzise iqiniso lokuthi i-snap-confine iphinda idale uhla lwemibhalo /tmp/snap.rootfs_XXXXXX lwempande yokuqukethwe kwephakheji ye-snap. Ingxenye yegama ethi "XXXXXX" ikhethwa ngokungahleliwe kusetshenziswa i-mkdtemp(), kodwa iphakheji ebizwa ngokuthi "rootfs_XXXXXX" ingadlula ukuqinisekiswa kusetshenziswa umsebenzi we-sc_instance_name_validate (okungukuthi, umbono uwukuphoqa i-$SNAP_NAME ukuthi ibe "rootfs_XXXXXX", ukuze umsebenzi wokuqamba kabusha ukhiphe i-rootfs_XXXXXX equkethe i-root.XXX/srootnap
Ukuze kuzuzwe ukusetshenziswa kanyekanye kwe-/tmp/snap.rootfs_XXXXXX kanye nokuqanjwa kabusha kwe-/tmp/snap.$SNAP_NAME, izehlakalo ezimbili ze-snap-confine ziqalisiwe. Ngokushesha nje lapho isenzakalo sokuqala sidala /tmp/snap.rootfs_XXXXXX, inqubo yavinjwa futhi isenzakalo sesibili saqaliswa ngegama lephakheji elithi rootfs_XXXXXX. Lokhu kuphumele ekuthini uhla lwemibhalo lwesikhashana /tmp/snap.$SNAP_NAME okwesibili lube umsuka wohla lwemibhalo /tmp/snap.rootfs_XXXXXX kokokuqala. Ngokushesha ngemva kokuqamba kabusha, isenzakalo sesibili saphahlazeka, futhi /tmp/snap.rootfs_XXXXXX sashintshwa kusetshenziswa isimo somjaho, njengasebungozini bukaFebruwari. Ngemva kokushintshwa, ukhiye wokubulala wakhululwa ekuqaleni, futhi abahlaseli bathola ukulawula okugcwele kumkhombandlela wezimpande ze-snap.
Isinyathelo sokugcina sasihilela ukudala isixhumanisi esingokomfanekiso, /tmp/snap.rootfs_XXXXXX/tmp, esasetshenziswa umsebenzi we-sc_bootstrap_mount_namespace() ukuze kuhlanganiswe uhla lwemibhalo lwangempela olubhalekayo /tmp kunoma iyiphi inkomba ohlelweni lwefayela, njengoba ikholi ye-mount() ilandela izixhumanisi ezingokomfanekiso ngaphambi kokukhuphuka. Lolu hlobo lokukhweza luvinjwe imikhawulo ye-AppArmor, kodwa ukuze kweqe lo mkhawulo, ukuxhaphaza kusetshenziswe ubungozi obubili obungeziwe ku-multipathd.
Source: opennet.ru
