I-GitHub iveze imininingwane yobungozi obuyisikhombisa kumaphakheji we-tar kanye ne-@npmcli/arborist, ahlinzeka ngemisebenzi yokusebenza ngezingobo zomlando ze-tar nokubala isihlahla sokuncika ku-Node.js. Ukuba sengozini kuvumela, lapho kuthululwa ingobo yomlando eklanywe ngokukhethekile, ukubhala phezu kwamafayela ngaphandle kwenkomba yezimpande lapho ukuthululwa kwenziwa khona, ngokwendlela amalungelo amanje okufinyelela avumela ngayo. Izinkinga zenza kube nokwenzeka ukuhlela ukwenziwa kwekhodi engafanele ohlelweni, isibonelo, ngokwengeza imiyalo ku- ~/.bashrc noma ~/.profile uma umsebenzi wenziwa umsebenzisi ongenalungelo, noma ngokushintsha amafayela esistimu lapho esebenza njenge impande.
Ingozi yokuba sengozini iyanda yiqiniso lokuthi ikhodi eyinkinga isetshenziswa kumphathi wephakeji ye-npm lapho kwenziwa imisebenzi ngamaphakeji we-npm, okwenza kube nokwenzeka ukuhlela ukuhlaselwa kwabasebenzisi ngokubeka iphakethe le-npm elakhiwe ngokukhethekile endaweni yokugcina, ukucubungula. okuzosebenzisa ikhodi yomhlaseli kusistimu. Ukuhlasela kungenzeka ngisho nalapho ufaka amaphakheji kumodi ye-“-ignore-scripts”, ekhubaza ukukhishwa kwemibhalo eyakhelwe ngaphakathi. Sekukonke, i-npm ithinta ubungozi obune (CVE-2021-32804, CVE-2021-37713, CVE-2021-39134 kanye ne-CVE-2021-39135) kweziyisikhombisa. Izinkinga ezimbili zokuqala zithinta iphakethe letiyela, kanti ezimbili ezisele zithinta iphakethe le-@npmcli/arborist.
Ukuba sengcupheni okuyingozi kakhulu, i-CVE-2021-32804, kubangelwa iqiniso lokuthi lapho usula izindlela eziphelele ezishiwo kungobo yomlando yetiyela, izinhlamvu eziphindaphindiwe ezithi “/” zicutshungulwa ngokungalungile—uhlamvu lokuqala kuphela olukhishwayo, kuyilapho zonke zisele. Isibonelo, indlela ethi "/home/user/.bashrc" izoguqulelwa ku-"home/user/.bashrc" kanye nendlela ethi "//home/user/.bashrc" eya ku-"/home/user/.bashrc". Ukuba sengozini kwesibili, i-CVE-2021-37713, kuvela kuphela ku-Windows platform futhi kuhlotshaniswa nokuhlanzwa okungalungile kwemizila ehlobene ehlanganisa uhlamvu lwedrayivu olunganqunyelwe (“C:some\path”) nokulandelana kokubuyela kumkhombandlela wangaphambilini ( “C:../foo”) .
I-Vulnerabilities CVE-2021-39134 kanye ne-CVE-2021-39135 zicaciswe kumojula ethi @npmcli/arborist. Inkinga yokuqala ivela kuphela ezinhlelweni ezingahlukanisi icala lezinhlamvu ohlelweni lwefayela (i-macOS neWindows), futhi ikuvumela ukuthi ubhale amafayela engxenyeni engafanele yesistimu yefayela ngokucacisa amamojula amabili "foo" phakathi kokuncika. : "file:/some/path"' kanye ne-' FOO: "file:foo.tgz"', ukucutshungulwa okuzoholela ekususeni okuqukethwe kwe-/some/path directory kanye nokubhala okuqukethwe kwe-foo.tgz kuyo. Inkinga yesibili ivumela amafayela ukuthi abhalwe phezu ngokukhohlisa kwesixhumanisi esingokomfanekiso.
Ubungozi buxazululwa ekukhishweni kwe-Node.js okungu-12.22.6 no-14.17.6, npm CLI 6.14.15 no-7.21.0, kanye nokukhishwa kwephakheji ngayinye ye-tar 4.4.19, 5.0.11, kanye ne-6.1.10. Ngemva kokuthola ulwazi mayelana nenkinga njengengxenye yohlelo "lwenzuzo yesiphazamisi", i-GitHub yakhokhela abacwaningi u-$14500 futhi yaskena okuqukethwe kwendawo yokugcina impahla, engazange iveze imizamo yokusebenzisa ubungozi. Ukuze kuvikelwe lezi zinkinga, i-GitHub iphinde yavimbela ukushicilela amaphakheji e-NPM ahlanganisa izixhumanisi ezingokomfanekiso, izixhumanisi eziqinile, nezindlela eziphelele eziya endaweni yokugcina.
Source: opennet.ru