Kafaffen kwari biyu a cikin Flatpak tare da sabbin sabuntawar gyarawa

Daidaitawa

Idan aka yi amfani da su, waɗannan kurakuran na iya ba wa maharan damar samun dama ga bayanai masu mahimmanci ba tare da izini ba ko kuma gabaɗaya haifar da matsala

kwanan nan sun kasance sake sabunta sabuntawa na kayan aikin kayan aiki Flatpak don nau'ikan nau'ikan nau'ikan 1.14.4, 1.12.8, 1.10.8 da 1.15.4, waɗanda an riga an samu kuma waɗanda ke warware ɓarna biyu.

Ga waɗanda ba su san Flatpak ba, ya kamata ku san cewa wannan yana ba masu haɓaka aikace -aikacen damar sauƙaƙe rarraba shirye -shiryen su waɗanda ba a haɗa su cikin ɗakunan ajiya na yau da kullun ta hanyar shirya kwantena na duniya ba tare da ƙirƙirar gine-gine daban don kowane rarraba ba.

Don masu amfani da tsaro, Flatpak yana ba da damar aikace-aikacen da ake tambaya don gudana a cikin akwati, bada dama ga ayyukan cibiyar sadarwa kawai da fayilolin mai amfani masu alaƙa da aikace-aikacen. Ga masu amfani da ke sha'awar abin da ke sabo, Flatpak yana ba su damar shigar da sabuwar gwaji da tsayayyen nau'ikan aikace-aikacen ba tare da yin canje-canje ga tsarin ba.

Babban bambanci tsakanin Flatpak da Snap shine Snap yana amfani da babban tsarin mahalli na tsarin da keɓancewa dangane da tace kiran tsarin, yayin da Flatpak ke ƙirƙirar kwandon tsarin daban kuma yana aiki tare da manyan taruka na lokaci, yana ba da fakiti na yau da kullun maimakon fakiti azaman abin dogaro.

Game da kurakuran da aka gano a Flatpak

A cikin waɗannan sabbin sabuntawar tsaro, An ba da mafita ga kurakurai biyu da aka gano, daya daga cikinsu ya gano ta hanyar Ryan Gonzalez (CVE-2023-28101) ya gano cewa masu ƙeta na aikace-aikacen Flatpak na iya sarrafa ko ɓoye wannan nunin izini ta hanyar neman izini waɗanda suka haɗa da lambobin sarrafawa ta tashar ANSI ko wasu haruffa marasa bugawa.

An gyara wannan a cikin Flatpak 1.14.4, 1.15.4, 1.12.8 da 1.10.8 ta hanyar nuna haruffan da ba a buga su ba (\xXX, \uXXXX, \ UXXXXXXXXX) don kada su canza halayen ƙarshe, kuma ta hanyar gwadawa. haruffan da ba za a iya bugawa ba a wasu mahallin a matsayin mara inganci (ba a yarda).

Lokacin shigarwa ko sabunta aikace-aikacen Flatpak ta amfani da flatpak CLI, yawanci ana nuna mai amfani da izini na musamman da sabon ƙa'idar ke da shi a cikin metadata, don haka za su iya yanke ɗan bayani game da ko za a ba da izinin shigarwa.

Lokacin murmurewa a Izinin aikace-aikacen don nunawa ga mai amfani, ana ci gaba da dubawar hoto kasancewa da alhakin tacewa ko guje wa duk wani haruffan da suna da ma'ana ta musamman ga dakunan karatu na GUI.

Ga wani bangare daga bayanin raunin rauniSun raba tare da mu kamar haka:

  • BAKU-2023-28100: ikon kwafi da liƙa rubutu a cikin madaidaicin shigar da kayan aikin bidiyo ta hanyar TIOCLINUX ioctl magudi lokacin shigar da fakitin Flatpak na maharin. Misali, ana iya amfani da raunin don ƙaddamar da umarnin na'ura wasan bidiyo na sabani bayan an kammala aikin shigarwa na fakitin ɓangare na uku. Matsalar tana bayyana ne kawai a cikin na'ura mai ba da hanya tsakanin hanyoyin sadarwa (/dev/tty1, /dev/tty2, da sauransu) kuma baya shafar zaman a xterm, gnome-terminal, Konsole da sauran tashoshi masu hoto. Lalacewar ba ta keɓance ga flatpak ba kuma ana iya amfani da ita don kai hari ga wasu aikace-aikace, alal misali, a baya an sami irin wannan lahani waɗanda ke ba da izinin musanyawa ta hanyar TIOCSTI ioctl interface a cikin /bin/ sandbox da karye.
  • CVE-2023-28101- Ikon yin amfani da jerin tserewa a cikin jerin izini a cikin metadata kunshin don ɓoye bayanai game da ƙarin izini da aka buƙata waɗanda aka nuna a cikin tasha yayin shigarwar kunshin ko haɓakawa ta hanyar layin umarni. Mai hari zai iya amfani da wannan raunin don yaudarar masu amfani game da izinin da aka yi amfani da su akan kunshin. An ambaci cewa GUIs na libflatpak, kamar GNOME Software da KDE Plasma Discover, wannan ba ya shafa kai tsaye.

A ƙarshe, an ambaci cewa azaman hanyar aiki za ku iya amfani da GUI kamar Cibiyar Software na GNOME maimakon layin umarni.
dubawa, ko kuma ana ba da shawarar shigar da aikace-aikacen kawai waɗanda kuka amince da masu kula da su.

Idan kuna sha'awar ƙarin sani game da shi, zaku iya tuntuɓar cikakkun bayanai a cikin mahaɗin mai zuwa.


Kasance na farko don yin sharhi

Bar tsokaci

Your email address ba za a buga. Bukata filayen suna alama da *

*

*

  1. Wanda ke da alhakin bayanan: Miguel Ángel Gatón
  2. Manufar bayanan: Sarrafa SPAM, sarrafa sharhi.
  3. Halacci: Yarda da yarda
  4. Sadarwar bayanan: Ba za a sanar da wasu bayanan ga wasu kamfanoni ba sai ta hanyar wajibcin doka.
  5. Ajiye bayanai: Bayanin yanar gizo wanda Occentus Networks (EU) suka dauki nauyi
  6. Hakkoki: A kowane lokaci zaka iyakance, dawo da share bayanan ka.