Yakave yakazivikanwa kunetsekana muAPT package maneja (CVE-2019-3462), chii inobvumira anorwisa kuti atange kuburitsa kwepakeji yakaiswa kunyangwe iye anorwisa ane simba regirazi repositori kana anogona kukanganisa traffic yekufamba pakati pemushandisi uye repositi (MITM kurwisa).
Dambudziko rakazivikanwa nemuongorori wezvekuchengetedza Max Justicz, inozivikanwa nekuona kushomeka mune iyo APK package maneja (Alpine) uye mune iyo Packagist, NPM uye RubyGems matura.
Dambudziko Izvo zvinokodzera kusarongeka kwechokwadi kweminda iri muHTTP redirect yekugadzirisa kodhi.
Dambudziko nderei?
Uku kunetseka inobvumira anorwisa kutsiva yake zvemukati mune dhata inopfuudzwa mukati memusangano weHTTP (Debian neUbuntu vanoshandisa HTTP uye kwete HTTPS kuwana iyo repository, uchifunga kuti siginecha yedhijitari inokwana pamwe nekufananidza metadata uye saizi yepaketi.)
Iyo yakatarwa kunetsekana inobvumira anorwisa simba chinja iyo inotakurika packet, mushure meizvozvo APT inozozviona sekugashirwa kubva kugirazi repamutemo uye kutanga maitiro ekumisikidza
Kubudikidza nekuisirwa mune yakashata package yezvinyorwa zvakatangwa panguva yekumisikidzwa, anorwisa anogona kuwana kuitiswa kwekodhi yake pane system ine midzi yerombo.
Kuti utore dhata kubva kunzvimbo yekuchengetedza, APT inotanga maitiro emwana nekumisikidza kwekufambisa kwakati uye kuronga kurongeka neichi chiitiko uchishandisa yakapfava zvinyorwa zvinyorwa pamwe nekukamurwa kwemirairo netambo isina chinhu.
Ndinoona sei dambudziko?
Iko kukosha kwedambudziko nderekuti HTTP inobata inobata, paunogamuchira mhinduro kubva kuseva yeHTTP nemusoro wekuti "Nzvimbo:", inokumbira kusimbiswa kwekudzoserwa patsva kubva kuhurongwa hukuru.
Kunyatso kuendesa zvirimo mune uyu musoro. Nekuda kwekushayikwa kwehutsanana hweanotapurirana mavara akakosha, anorwisa anogona kudoma mutsetse wedambo mu "Nzvimbo:" munda.
Sezvo kukosha uku kuchizomisikidzwa uye kutapuriranwa kuburikidza nechairi nzira yekutaurirana neyakaipisisa maitiro, anorwisa anogona kutevedzera imwe mhinduro kubva kune weHTTP wekubata mubati uye kutsiva iyo dummy 201 URI block.
Semuenzaniso, kana, kana uchikumbira pakiti, anorwisa achitsiva mhinduro, chinotsiva ichi chinoguma nekuchinjisa chinotevera chinongedzo chedhata kune chikuru maitiro.
Iko kuverenga kweheshes kwemafaira akatorwa kunogadziriswa uye maitiro makuru anongotarisa iyi data neheshes kubva kudhatabhesi yemapakeji akasainwa.
Pakati pemetadata, anorwisa anogona kudoma chero kukosha kweyedzo hashes yakabatana mudhatabhesi kune chaiwo akasainwa mapakeji, asi haina kunyatsoenderana neheshes yeiyo faira rakatamisirwa.
Maitiro makuru achagamuchira kodhi yekupindura yakatsiviwa nekurwiswa, tsvaga iyo hashi mudhatabhesi uye funga kuti iro packet iro rine chaiyo siginicha yedhijitari rakatakurwa, kunyange hazvo kukosha kwemunda ne hash kuchinjirwa mu yekutaurirana chiteshi nemaitiro makuru uchishandisa kurwisa uye iyo faira yakatsanangurwa mune yakatsiviwa metadata.
Kudhawunirodha pasuru yakaipa kunoitwa nekubatanidza pasuru kune iyo Regedza.gpg faira, panguva yekuchinjisa.
Iyi faira ine inofungidzirwa nzvimbo pane iyo faira sisitimu uye kubatanidza package kune yayo yekutanga haina kukanganisa kukanganisa kuburitswa kwesiginicha siginicha kubva kudura.
Paunenge uchiwana dhata, apt inoremadza mashandiro evashandi ayo anoenderana nezvirongwa zvakasiyana zvinozoshandiswa kufambisa data.
Maitiro makuru anozotaurirana nevashandi ava kuburikidza ne stdin / stdout kuti uvataurire zvekutora uye kupi kwekuzviisa pasisitimu yefaira uchishandisa protocol inoita kunge HTTP.
Maitiro makuru anozoendesa kumisikidzwa uye kukumbira sosi uye maitiro evashandi anopindura.
Kana iyo server yeHTTP ikapindura nekutungamira, mashandiro evashandi anodzosa 103 Redirect panzvimbo pe 201 URI Yakaitwa, uye maitiro makuru anoshandisa iyi mhinduro kuona kuti ndeipi sosi yekukumbira inotevera.