Ukuba sengozini (CVE-2024-2961) kukhonjwe kulabhulali ye-Glibc evamile eholela ekuchichimeni kwebhafa lapho kuguqulwa amayunithi ezinhlamvu afomethwe ngokukhethekile ekubhaleni ngekhodi kwe-ISO-2022-CN-EXT kusetshenziswa umsebenzi we-iconv(). Umcwaningi ohlonze inkinga uhlela ukunikeza isethulo engqungqutheleni ye-OffensiveCon ngoMeyi 10, isimemezelo esisho ukuthi kungenzeka kuxhashazwe ubungozi ngokusebenzisa izinhlelo zokusebenza ezibhalwe nge-PHP. Udaba kuthiwa luthinta yonke i-PHP ecosystem nezinye izinhlelo zokusebenza.
Lapho uguqula amayunithi ezinhlamvu anekhodi ye-UCS4, njengoba kudingwa i-RFC 1922, ilabhulali yengeza izinhlamvu ezithile zokubalekela ukuze kugqanyiswe izingxenye zeyunithi yezinhlamvu lapho umbhalo wekhodi ushintshiwe. Ukuba sengozini kubangelwa ukuhlolwa komngcele okungalungile kwamabhafa angaphakathi ngomsebenzi we-iconv(), ongaholela ekuchichimeni kwebhafa okungafika kumabhayithi angu-4. Uma kwenzeka ukuchichima kwebhafa, amanani athile angashintshi angase abhalwe, njengokuthi '$+I', '$+J', '$+K', '$+L', '$+M' kanye ne-'$* H'. Nakuba ukuxhashazwa kobungozi obunjalo bokwenza ikhodi kubonakala kungenzeki, ngokomcwaningi ohlonze inkinga, lokhu kwanele ukulungiselela ukuxhashazwa kwesibonelo sokuhlasela okukude kwezinhlelo zokusebenza ze-PHP, okuholela ekusebenziseni ikhodi.
Уязвимость проявляется с 2000 года и устранена в находящейся в разработке ветке Glibc 2.40. Исправление также доступно в виде патчей для выпусков Glibc с 2.32 по 2.39. В дистрибутивах проследить за исправлением уязвимости можно на страницах: Debian, Ubuntu, Gentoo, RHEL, SUSE, Fedora, Arch.
Source: opennet.ru
