An gano rauni a cikin xterm wanda ke kaiwa ga aiwatar da lambar

Daidaitawa

Idan aka yi amfani da su, waɗannan kurakuran na iya ba wa maharan damar samun dama ga bayanai masu mahimmanci ba tare da izini ba ko kuma gabaɗaya haifar da matsala

Kwanan nan labari ya bazu cewa an sami rauni a cikin xterm terminal emulator (wanda aka riga aka rubuta a ƙarƙashin CVE-2022-45063), matsalar yana ba da damar aiwatar da umarnin harsashi lokacin da aka sarrafa wasu jerin tserewa a cikin tashar.

Game da matsalar an ambaci cewa ya faru ne saboda kuskure wajen sarrafa lambar tserewa ta 50 wanda ake amfani dashi don saita ko samun zaɓuɓɓukan font. Idan font ɗin da aka nema bai wanzu ba, aikin yana mayar da sunan font ɗin da aka ƙayyade a cikin buƙatar.

Matsalar tana cikin jerin OSC 50, wanda shine don daidaitawa da shawarwari marmaro. Idan tushen da aka bayar ba ya wanzu, ba a saita shi ba, amma tambaya zai mayar da sunan da aka saita. Ba za a iya zama haruffa masu sarrafawa ba an haɗa, amma za'a iya ƙare layin amsa tare da ^G. Gabas da gaske yana ba mu mahimmanci don mayar da rubutu zuwa tasha kuma ya ƙare da ^G.

Ba za a iya saka haruffan sarrafawa kai tsaye ba cikin suna, amma kirtani da aka dawo za a iya ƙare tare da jerin "^ G", wanda a cikin zsh, lokacin da yanayin gyaran layi na vi-style ke aiki, yana haifar da aikin faɗaɗa jeri, wanda za'a iya amfani dashi don aiwatar da umarni ba tare da latsa maɓallin shigar ba.

Don hari a cikin mafi sauƙi, ya isa a nuna abun ciki na fayil ɗin da aka ƙera na musamman akan allo, alal misali, ta amfani da kayan aikin cat, ko liƙa layi daga allon allo.

Debian, Red Hat da sauransu suna hana ayyukan rubutu ta tsohuwa , amma masu amfani za su iya sake kunna su ta hanyar zaɓi ko menu na daidaitawa. Hakanan, xterm na sama yana yi baya kashe su ta tsohuwa, don haka wasu rabawa sun haɗa da a Tsarin tsoho mai rauni.

Don samun nasarar yin amfani da rauni, dole ne mai amfani ya yi amfani da harsashi na Zsh tare da editan layin umarni (vi-cmd-mode) da aka canza zuwa yanayin "vi"., wanda gabaɗaya ba a yi amfani da shi ta tsohuwa a cikin rabawa.

Ainihin, muna buƙatar:
zsh
Yanayin gyaran layi mai aiki a cikin salon vi
kwafi rubutun trojan zuwa allon allo
manna shi cikin zsh

Ana iya yin wannan ta atomatik, shafuka da yawa suna canza rubutu lokacin da aka kwafe shi zuwa allo. Don haka ina amfani da buffer ɗin zaɓi kawai, wanda masu bincike ba sa shiga. Kawai a gtk3 kuma a cikin ff musamman suna karya kullun saboda wasu dalilai, yana da gajiya.

Matsalar kuma ba ta bayyana lokacin da aka saita xterm zuwa allowWindowOps=ƙarya ko ƙyaleFontOps=ƙarya. Misali, saitin allowFontOps=karya an saita shi akan OpenBSD, Debian, da RHEL, amma ba a aiwatar da shi ta tsohuwa akan Arch Linux.

Dangane da rajistan canji da kuma bayanin mai binciken wanda ya gano batun, rashin lahani gyarawa a cikin xterm 375, amma a cewar wasu kafofin, raunin yana ci gaba da bayyana kansa a cikin xterm 375 na Arch Linux.

Wannan yana nufin cewa don amfani da wannan raunin, mai amfani dole ne ya kasance
amfani da Zsh a cikin yanayin gyaran layi na vi (yawanci ta hanyar $EDITOR wanda ke da "vi" a ciki
yana). Duk da yake yana ɗan ɓoye, wannan ba gaba ɗaya ba ne.
sanyi

A cikin wannan saitin, wani abu kamar:
printf"\e]50;i$(touch /tmp/hack-like-its-1999)\a\e]50;?\a" > cve-2022-45063
cat cve-2022-45063 # ko wata hanya don isar da wannan ga wanda aka azabtar

A ƙarshe, kamar yadda aka saba, ana ba masu amfani da tsarin da abin ya shafa shawarar su ci gaba da sabunta tsarin su, saboda kamar yadda za ku sani lokacin da aka san raunin tsaro, masu haɓakawa dole ne su gyara waɗannan kurakuran, saboda yawancin yadda za a yi amfani da waɗannan kwari ana bayyana su.

Yana da kyau a faɗi hakan Ba a yarda da ayyukan font a cikin saitunan tsoho na xterm na wasu rabawa Linux, don haka ba duk rabe-rabe ne ke fuskantar wannan kwaro ba. Ga masu sha'awar bin ɗab'ar gyare-gyare ta hanyar rarrabawa, za su iya yin hakan akan waɗannan shafuka: DebianRHELFedoraSUSEUbuntuArch LinuxOpenBSDFreeBSDNetBSD.

Idan kun kasance sha'awar ƙarin sani game da shi, zaka iya duba bayanan A cikin mahaɗin mai zuwa.


Abubuwan da ke cikin labarin suna bin ka'idodinmu na ka'idojin edita. Don yin rahoton kuskure danna a nan.

Kasance na farko don yin sharhi

Bar tsokaci

Your email address ba za a buga. Bukata filayen suna alama da *

*

*

  1. Mai alhakin bayanan: Miguel Ángel Gatón
  2. Dalilin bayanan: Gudanar da SPAM, gudanar da sharhi.
  3. Halacci: Yarda da yarda
  4. Sadarwar bayanan: Ba za a sanar da wasu bayanan ga wasu kamfanoni ba sai ta hanyar wajibcin doka.
  5. Ajiye bayanai: Bayanin yanar gizo wanda Occentus Networks (EU) suka dauki nauyi
  6. Hakkoki: A kowane lokaci zaka iyakance, dawo da share bayanan ka.