Kutholwe ubungozi obubili kumphathi wephakheji ye-Cargo, esetshenziselwa ukuphatha amaphakheji nokwakha amaphrojekthi we-Rust. Lobu bungozi bungasetshenziswa ngokudawuniloda amaphakheji aklanywe ngokukhethekile kumakhosombe ezinkampani zangaphandle (abasebenzisi bekhosombe elisemthethweni lama-crates.io kuthiwa abathinteki). Ukuba sengozini kokuqala (CVE-2022-36113) kuvumela amabhayithi amabili okuqala anoma yiliphi ifayela ukuthi abhalwe ngaphezulu, kuncike kuzimvume zamanje. Ukuba sengozini kwesibili (CVE-2022-36114) kungaxhashazwa ukuze kucishwe isikhala sediski.
Ubungozi buzolungiswa ekukhishweni kwe-Rust 1.64, okuhlelelwe u-Septhemba 22. Lobu bungozi bulinganiselwe njengobukhulu obuphansi, njengoba umonakalo ofanayo ungabangelwa ukusebenzisa amaphakheji angaqinisekisiwe asuka kumakhosombe ezinkampani zangaphandle kusetshenziswa ikhono elakhelwe ngaphakathi lokuqalisa izibambi kusuka kumaskripthi okwakha ahlinzekwe yiphakheji noma ama-macros enqubo. Kodwa-ke, lezi zinkinga ezishiwo ngenhla zihlukile ngoba zisetshenziswa ngesikhathi sesigaba sokunwetshwa kwephakheji ngemuva kokulayisha (ngaphandle kokwakha).
Ngokucacile, ngemva kokulanda iphakheji, impahla ithulula okuqukethwe kwayo kuhla lwemibhalo engu-~/.cargo bese ilondoloza ifulegi eliphumelelayo lokukhipha ifulegi efayeleni elithi .cargo-ok. Ukuba sengozini kokuqala ukuthi umdali wephakheji angabeka isixhumanisi esingokomfanekiso esibizwa ngokuthi .cargo-ok ngaphakathi kwephakheji, okuzokwenza ukuthi umbhalo othi "ok" ubhalwe efayeleni elikhonjwe isixhumanisi.
Ukuba sengozini kwesibili kubangelwa ukuntuleka komkhawulo kasayizi kudatha ekhishwe kungobo yomlando, engasetshenziswa ukudala "amabhomu e-zip" (ingobo yomlando ingaqukatha idatha engafinyelela isilinganiso esiphezulu sokuminyanisa sefomethi ye-zip—cishe izikhathi eziyizigidi ezingu-28; kulesi simo, isibonelo, ifayela le-zip elilungiselelwe ngokukhethekile lika-10 MB ekuvuleni okungase kuholele kusayizi ongu-2 we-TB engaholela cishe kusayizi ongu-2 we-TB).
Source: opennet.ru
