U-Qualys uhlonze ukuba sengozini kwesithathu okuyingozi kulo nyaka (i-CVE-2022-3328) kusisetshenziswa se-snap-confine, esiza nefulegi lempande ye-SUID futhi esibizwa ngenqubo ye-snapd ukuze kudalwe indawo esebenzisekayo yezinhlelo zokusebenza ezisatshalaliswa kumaphakheji aqukethwe ngokwawo. ngefomethi ye-snap. Ukuba sengozini kuvumela umsebenzisi wasendaweni ongenalo ilungelo ukuthi afeze ukusetshenziswa kwekhodi njengempande ekucushweni okuzenzakalelayo kwe-Ubuntu. Udaba lulungiswe ekukhululweni kwe-snapd 2.57.6. Ukubuyekezwa kwephakheji kukhishwe kuwo wonke amagatsha asekelwayo e-Ubuntu.
Kuyathakazelisa ukuthi ukuba sengozini okukhulunywa ngakho kwethulwa phakathi nenqubo yokulungisa ukuba sengozini okufanayo ngoFebruwari ku-snap-confine. Abacwaningi bakwazile ukulungiselela ukuxhashazwa okusebenzayo okunikeza ukufinyelela kwezimpande ku-Ubuntu Server 22.04, okuthi, ngaphezu kokuba sengozini kwe-snap-confine, kuphinde kubandakanye ubungozi obubili kwinqubo ye-multipathd (CVE-2022-41974, CVE-2022-41973) , okuhlotshaniswa nokweqa isheke leziphathimandla lapho kuthunyelwa imiyalo eyilungelo nomsebenzi ongaphephile onezixhumanisi ezingokomfanekiso.
Ukuba sengozini ku-snap-confine kubangelwa isimo somjaho kumsebenzi we-must_mkdir_and_open_with_perms(), owengezwe ukuze kuvikelwe ekufakweni esikhundleni kohla lwemibhalo /tmp/snap.$SNAP_NAME ngesixhumanisi esingokomfanekiso ngemva kokuhlola umnikazi, kodwa ngaphambi kokubiza isistimu yokukhweza. shayela ukuhlanganisa ukufakwa kwemibhalo kuyo ukuze uthole iphakheji ngefomethi ye-snap. Isivikelo esengeziwe sasiwukuqamba kabusha inkomba ethi /tmp/snap.$SNAP_NAME iye kolunye uhla lwemibhalo ku/tmp enegama elingahleliwe uma likhona futhi ingeyona eyempande.
Lapho bexhaphaza /tmp/snap.$SNAP_NAME ukusebenza kokuqamba kabusha uhla lwemibhalo, abacwaningi basebenzise iqiniso lokuthi i-snap-confine iphinda idale uhla lwemibhalo /tmp/snap.rootfs_XXXXXX lwempande yokuqukethwe kwephakheji ye-snap. Ingxenye yegama elithi "XXXXXX" ikhethwa ngokungahleliwe ngu-mkdtemp(), kodwa iphakheji ebizwa ngokuthi "rootfs_XXXXXX" ingaqinisekiswa kumsebenzi we-sc_instance_name_validate (okungukuthi umqondo wukuthi i-$SNAP_NAME izosethwa ukuze ithi "rootfs_XXXXXX" bese kuqanjwa kabusha umsebenzi. kuzophumela ekubhaleni phezu kohla lwemibhalo /tmp/snap.rootfs_XXXXXX nge-root snap).
Ukuze kuzuzwe ukusetshenziswa kanyekanye kwe /tmp/snap.rootfs_XXXXXX kanye nokuqamba kabusha /tmp/snap.$SNAP_NAME, izehlakalo ezimbili ze-snap-confine ziqalisiwe. Uma isiqephu sokuqala sesidaliwe /tmp/snap.rootfs_XXXXXX, inqubo izovimba futhi isenzakalo sesibili siqale ngegama lephakeji rootfs_XXXXXX, okubangele uhla lwemibhalo lwesikhashana lwesibonelo /tmp/snap.$SNAP_NAME ukuthi lube umsuka wemibhalo /tmp/snap .rootfs_XXXXXX yokuqala. Ngokushesha ngemva kokuqedwa kokuqamba kabusha, okwesibili kwaphahlazeka, futhi /tmp/snap.rootfs_XXXXXX kwathathelwa indawo ukukhohliswa kwesimo sohlanga, njengalapho kuxhashazwa ukuba sengozini kukaFebruwari. Ngemva kokufaka esikhundleni, ukhiye wokusebenzisa ukhishiwe ekuqaleni futhi abahlaseli bathola ukulawula okugcwele kumkhombandlela wezimpande ze-snap.
Isinyathelo sokugcina kwakuwukudala i-symlink /tmp/snap.rootfs_XXXXXX/tmp, eyasetshenziswa umsebenzi we-sc_bootstrap_mount_namespace() ukuhlanganisa uhla lwemibhalo lwangempela olubhalekayo /tmp kunoma yiluphi uhla lwemibhalo ohlelweni lwefayela, kusukela ku-mount() ikholi. ilandela ama-symlink ngaphambi kokukhweza. Ukukhweza okunjalo kuvinjelwe imikhawulo ye-AppArmor, kodwa ukuze kudlule leli bhulokhi, ukuxhashazwa kusebenzise ubungozi obusizayo obubili ku-multipathd.
Source: opennet.ru