Iphakheji ye-ImageMagick, evame ukusetshenziswa abathuthukisi bewebhu ukuguqula izithombe, inobungozi be-CVE-2022-44268, okungaholela ekuvuzeni kokuqukethwe kwefayela uma izithombe ze-PNG ezilungiselelwe umhlaseli ziguqulwa kusetshenziswa i-ImageMagick. Ukuba sengozini kuthinta amasistimu acubungula izithombe zangaphandle bese evumela imiphumela yokuguqulwa ukuthi ilayishwe.
Ukuba sengozini kubangelwa ukuthi uma i-ImageMagick icubungula isithombe se-PNG, isebenzisa okuqukethwe kwepharamitha βyephrofayelaβ kusuka kubhulokhi yemethadatha ukuze inqume igama lefayela lephrofayela, elifakwe efayeleni eliwumphumela. Ngakho-ke, ngokuhlaselwa, kwanele ukwengeza ipharamitha "yephrofayela" ngendlela yefayela edingekayo esithombeni se-PNG (isibonelo, "/etc/passwd") nalapho ucubungula isithombe esinjalo, isibonelo, lapho ushintsha usayizi wesithombe. , okuqukethwe kwefayela elidingekayo kuzofakwa efayeleni lokuphumayo . Uma ucacisa okuthi "-" esikhundleni segama lefayela, isibambi sizolenga silinde okokufaka okuvela ekusakazweni okujwayelekile, okungasetshenziswa ukudala ukunqatshelwa kwesevisi (CVE-2022-44267).
Isibuyekezo sokulungisa ukuba sengozini asikakakhishwa, kodwa abathuthukisi be-ImageMagick batuse ukuthi njengendlela yokusebenza ukuze uvimbele ukuvuza, dala isimiso kuzilungiselelo ezikhawulela ukufinyelela emizileni ethile yefayela. Isibonelo, ukunqabela ukufinyelela ngezindlela eziphelele nezihlobene, ungakwazi ukwengeza okulandelayo ku-policy.xml:
Iskripthi sokukhiqiza izithombe ze-PNG ezisebenzisa ubungozi sesivele sitholakala esidlangalaleni.
Source: opennet.ru