Ulwazi lukhishwe mayelana nokuba sengozini okuhlanu kulabhulali ye-libX11 kanye ne-libXpm ethuthukiswe iphrojekthi ye-X.Org. Izinkinga zaxazululwa ngokukhishwa kwe-libXpm 3.5.17 kanye ne-libX11 1.8.7. Kutholwe ubungozi obuthathu kulabhulali ye-libx11, ehlinzeka ngemisebenzi ngokusetshenziswa kweklayenti kwephrothokholi ye-X11:
- I-CVE-2023-43785 - Ukuchichima kwebhafa kukhodi ye-libX11 kwenzeka lapho kucutshungulwa impendulo evela kuseva engu-X enenombolo yezinhlamvu ezingafani nesicelo se-XkbGetMap esithunyelwe ngaphambilini. Ukuba sengozini kubangelwa isiphazamisi ku-X11R6.1 esikhona kusukela ngo-1996. Ukuba sengozini kungase kusetshenziswe lapho uhlelo lokusebenza olusebenzisa i-libx11 luxhuma kuseva ye-X enonya noma ummeleli ophakathi olawulwa umhlaseli.
- I-CVE-2023-43786 - Ukukhathala kwesitaki ngenxa yokuphindaphinda okungapheli kumsebenzi we-PutSubImage() ku-libX11, okwenzeka lapho kusetshenzwa idatha efomethwe ngokukhethekile ngefomethi ye-XPM. Ubungozi bukhona kusukela kwakhululwa i-X11R2 ngoFebhuwari 1988.
- I-CVE-2023-43787 Ukuchichima okuphelele emsebenzini we-XCreateImage() ku-libX11 kuholela ekuchichimeni kwenqwaba ngenxa yephutha ekubaleni usayizi ongahambisani nosayizi wangempela wedatha. Umsebenzi oyinkinga we-XCreateImage() ubizwa kusukela kumsebenzi we-XpmReadFileToPixmap(), ovumela ukuxhashazwa kokuba sengozini lapho kucutshungulwa ifayela eliklanywe ngokukhethekile ngefomethi ye-XPM. Ukuba sengozini kuphinde kwaba khona kusukela ku-X11R2 (1988).
Ngaphezu kwalokho, ubungozi obubili buye badalulwa kumtapo wezincwadi we-libXpm (CVE-2023-43788 kanye ne-CVE-2023-43789), okudalwe ikhono lokufunda ezindaweni ezingaphandle kwemingcele yenkumbulo eyabiwe. Izinkinga zenzeka lapho kulayishwa amazwana avela kusigcinalwazi kumemori futhi sicubungula ifayela le-XPM ngemephu yombala engalungile. Kokubili ubungozi buhlehlela emuva ku-1998 futhi kwatholakala ngokusetshenziswa kokutholwa kwephutha lenkumbulo namathuluzi okuhlola aphithizelayo i-AddressSanitizer ne-libFuzzer.
I-X.org inezinkinga zokuphepha zomlando, njengeminyaka eyishumi edlule, ku-30th Chaos Communication Congress (CCC), isethulo somcwaningi wezokuphepha u-Ilja van Sprundel sinikeze ingxenye yesethulo ezinkingeni kuseva ye-X.Org, kanti enye ingxenye ingxenye yokuphepha yemitapo yolwazi yamaklayenti e-X11. Umbiko ka-Ilya, okwathi ngo-2013 wahlonza ukukhubazeka okungu-30 okuthinta imitapo yolwazi ehlukahlukene yamakhasimende e-X11, kanye nezingxenye ze-DRI ye-Mesa, wawuhlanganisa nezitatimende ezithinta imizwa njengokuthi βI-GLX iyisisusa esibi kakhulu! Imigqa engu-80 yokwethuka okumsulwa! futhi βNgithole amaphutha angu-000 kuyo ezinyangeni ezimbalwa ezedlule, futhi angikakaqedi ukuyihlola.β
Source: opennet.ru