I-Ghostscript, isethi yamathuluzi okucubungula, ukuguqula nokukhiqiza amadokhumenti ngefomethi ye-PostScript kanye ne-PDF, inobungozi obubalulekile (CVE-2021-3781) obuvumela ukukhishwa kwekhodi ngokungafanele lapho kucutshungulwa ifayela elifomethwe ngokukhethekile. Ekuqaleni, inkinga yalethwa ekunakekeleni kuka-Emil Lerner, owakhuluma ngokuba sengozini ngo-August 25 engqungqutheleni yeZeroNights X eyayise-St. thola amabhonasi ngokubonisa ukuhlaselwa kumasevisi i-AirBNB, iDropbox ne-Yandex.Real Estate).
NgoSepthemba 5, kwavela ukuxhaphaza okusebenzayo esizindeni somphakathi esikuvumela ukuthi uhlasele amasistimu asebenzisa Ubuntu 20.04 ngokudlulisa idokhumenti eklanywe ngokukhethekile elayishwe njengesithombe kuskripthi sewebhu esisebenza kuseva usebenzisa iphakheji ye-php-imagemagick. Ngaphezu kwalokho, ngokusho kwedatha yokuqala, ukuxhashazwa okufanayo bekulokhu kusetshenziswa kusukela ngoMashi. Kuthiwa amasistimu asebenzisa i-GhostScript 9.50 angahlaselwa, kodwa kwavela ukuthi ubungozi bukhona kuzo zonke izinguqulo ezalandela ze-GhostScript, okuhlanganisa nokukhishwa kwe-9.55 okuthuthukisiwe kusuka ku-Git.
Ukulungiswa kwahlongozwa ngoSepthemba 8 futhi, ngemva kokubuyekezwa kontanga, kwamukelwa endaweni yokugcina ye-GhostScript ngomhlaka-9 Septhemba. Ekusakazweni okuningi, inkinga ihlala ingalungisiwe (isimo sokushicilelwa kwezibuyekezo singabukwa emakhasini we-Debian, Ubuntu, Fedora, SUSE, RHEL, Arch Linux, FreeBSD, NetBSD). Ukukhishwa kwe-GhostScript okunokulungiswa kokuba sengozini kuhlelwe ukuthi kushicilelwe ngaphambi kokuphela kwenyanga.
Inkinga ibangelwa ukuthi kungenzeka kudlule imodi yokuzihlukanisa ye-"-dSAFER" ngenxa yokuhlolwa okunganele kwamapharamitha wedivayisi ye-Postscript "%pipe%", evumele ukukhishwa kwemiyalelo yegobolondo ngokunganaki. Isibonelo, ukuze uqalise insiza ye-id kudokhumenti, vele ucacise umugqa β(%pipe%/tmp/&id)(w)fileβ noma β(%pipe%/tmp/;id)(r)fileβ.
Ake sikukhumbuze ukuthi ubungozi ku-Ghostscript bubeka ingozi eyengeziwe, njengoba le phakheji isetshenziswa ezinhlelweni eziningi ezidumile zokucubungula amafomethi we-PostScript kanye ne-PDF. Isibonelo, i-Ghostscript ibizwa ngesikhathi sokudala isithonjana sedeskithophu, ukukhomba idatha yangemuva, nokuguqulwa kwesithombe. Ukuze kube nokuhlasela okuphumelelayo, ezimweni eziningi kwanele ukumane ulande ifayela ngokuxhashazwa noma ukubuka inkomba ngayo kumphathi wefayela osekela ukubonisa izithonjana zedokhumenti, isibonelo, ku-Nautilus.
Ubungozi ku-Ghostscript bungaphinda busetshenziswe ngokucubungula izithombe ngokusekelwe kumaphakheji e-ImageMagick kanye ne-GraphicsMagick ngokuwadlulisela ifayela le-JPEG noma le-PNG eliqukethe ikhodi ye-PostScript esikhundleni sesithombe (ifayela elinjalo lizocutshungulwa ku-Ghostscript, njengoba uhlobo lwe-MIME lubonwa okuqukethwe, futhi ngaphandle kokuthembela ekwandiseni).
Source: opennet.ru