Kukonza nsikidzi ziwiri ku Flatpak ndi zosintha zatsopano

posachedwapa anali zosintha zosintha zatulutsidwa wa zida zida Flatpak zamitundu yosiyanasiyana 1.14.4, 1.12.8, 1.10.8 ndi 1.15.4, zomwe zilipo kale komanso zomwe zimathetsa zovuta ziwiri.

Kwa iwo omwe sadziwa Flatpak, muyenera kudziwa kuti izi zimapangitsa kuti opanga mapulogalamu azitha kusintha magawidwe awo zomwe sizinaphatikizidwe m'malo osungiramo nthawi zonse pokonzekera chidebe chapadziko lonse popanda kupanga zomanga zosiyana pakugawa kulikonse.

Kwa ogwiritsa ntchito chitetezo, Flatpak imalola pulogalamu yokayikitsa kuti iyendetse mumtsuko, kupereka mwayi wongogwiritsa ntchito netiweki ndi mafayilo omwe amalumikizidwa ndi pulogalamuyi. Kwa ogwiritsa ntchito omwe ali ndi chidwi ndi zatsopano, Flatpak imawalola kuyika zoyeserera zaposachedwa ndi mitundu yokhazikika yamapulogalamu popanda kusintha machitidwe.

Kusiyana kwakukulu pakati pa Flatpak ndi Snap ndikuti Snap imagwiritsa ntchito zigawo zazikulu za chilengedwe ndi makina opangira mafoni, pamene Flatpak imapanga chidebe chosiyana ndi machitidwe akuluakulu othamanga, ndikupereka phukusi lofanana m'malo mwa phukusi monga zodalira.

Za nsikidzi zomwe zapezeka ku Flatpak

Muzosintha zatsopano zachitetezo izi, yankho limaperekedwa ku zolakwika ziwiri zomwe zapezeka, imodzi mwazomwe zidapezeka ndi Ryan Gonzalez (CVE-2023-28101) adapeza kuti osamalira moyipa pulogalamu ya Flatpak amatha kusokoneza kapena kubisa chiwonetserochi popempha zilolezo zomwe zikuphatikiza ma ANSI terminal control codes kapena zilembo zina zosasindikizidwa.

Izi zidakhazikika mu Flatpak 1.14.4, 1.15.4, 1.12.8 ndi 1.10.8 powonetsa zilembo zomwe zathawa zomwe sizinasindikizidwe (\xXX, \uXXXX, \UXXXXXXXXXX) kuti asasinthe machitidwe osatha, komanso kuyesa zilembo zosasindikizidwa muzochitika zina monga zosavomerezeka (zosaloledwa).

Mukayika kapena kukonzanso pulogalamu ya Flatpak pogwiritsa ntchito flatpak CLI, wogwiritsa ntchito nthawi zambiri amawonetsedwa zilolezo zapadera zomwe pulogalamu yatsopanoyo ili nayo muzolemba zake, kuti athe kupanga chisankho chodziwitsa ngati angalole kuyiyika.

Pochira a zilolezo zowonetsera kwa wogwiritsa ntchito, mawonekedwe azithunzi akupitilira kukhala ndi udindo wosefa kapena kuthawa zilembo zilizonse ali ndi tanthauzo lapadera ku malaibulale anu a GUI.

Kwa gawo kuchokera ku kufotokozera za zofookaAmagawana nafe zotsatirazi:

• Kufotokozera: CVE-2023-28100: Kutha kukopera ndi kumata zolemba mu buffer yolowetsamo yolumikizira kudzera pa TIOCLINUX ioctl manipulation mukakhazikitsa phukusi lopangidwa ndi Flatpak lowukira. Mwachitsanzo, chiwopsezocho chingagwiritsidwe ntchito poyambitsa kukhazikitsa malamulo osasinthika pambuyo pomaliza kukhazikitsa phukusi la chipani chachitatu. Vutoli limangowoneka mumtundu wapamwamba kwambiri (/dev/tty1, /dev/tty2, etc.) ndipo silikhudza magawo mu xterm, gnome-terminal, Konsole ndi ma terminals ena ojambula. Chiwopsezo sichinatchulidwe ndi flatpak ndipo chitha kugwiritsidwa ntchito kuukira mapulogalamu ena, mwachitsanzo, zowopsa zofananira zidapezeka kale zomwe zidaloledwa kusinthana ndi mawonekedwe a TIOCSTI ioctl mu /bin/ sandbox ndi snap.
• CVE-2023-28101- Kutha kugwiritsa ntchito njira zopulumukira pamndandanda wazololeza mu metadata ya phukusi kuti mubise zambiri za zilolezo zomwe zapemphedwa zomwe zimawonetsedwa mu terminal pakuyika phukusi kapena kukweza kudzera pa mzere wamalamulo. Wowukira atha kugwiritsa ntchito kusatetezeka kumeneku kunyengerera ogwiritsa ntchito za zilolezo zomwe zimagwiritsidwa ntchito pa phukusi. Zimanenedwa kuti ma GUI a libflatpak, monga GNOME Software ndi KDE Plasma Discover, samakhudzidwa mwachindunji ndi izi.

Pomaliza, zikunenedwa kuti ngati njira yogwirira ntchito mutha kugwiritsa ntchito GUI ngati GNOME Software Center m'malo mwa mzere wolamula.
mawonekedwe, kapena tikulimbikitsidwanso kuti muyike mapulogalamu omwe osamalira mumawakhulupirira.

Ngati mukufuna kudziwa zambiri za izi, mutha kufunsa a Zambiri mu ulalo wotsatira.