Simon McVittie akafumura munguva pfupi yapfuura iyo yakaratidza kusagadzikana (CVE-2021-21261) izvo inodzivirira kupatsanurwa kwenzvimbo yakasarudzika uye unomhanya zvisina tsarukano kodhi mune yeWadhi system nharaunda mune inoiswa pasuru uye manejimendi utility Flatpak.
Kunetseka iripo muD-Bus flatpak-portal sevhisi (flatpak-portal inozivikanwawo nezita rayo rebasa D-Bus org.freedesktop.portal.Flatpak), iyo inopa kuvhurwa kwe "masuo" ayo anoshandiswa kuronga kuwana zviwanikwa kunze kwemudziyo.
Nezve mutongo
Uye ndeyekuti kushomeka kunotaurwa kwakadai hakusi, nekuti kuri nekuda kwekushanda kwebasa "Flatpak-portal" inobvumira sandbox kunyorera kutanga yavo yega maitiro emwana munzvimbo nyowani yebhokisi rejecha, uko kunoshandiswa zvakafanana kana kusimba kwekuzviparadzanisa (semuenzaniso, kubata zvisina kuvimbika zvemukati).
Kutambura kunoshandiswa, kubvira inopfuura yakatarwa nharaunda nhanho dzekufona kuita kune vasina-kuzvimiririra vanodzora kubva kuHost system (semuenzaniso, nekumhanya kuraira «flatpack run«). Chikumbiro chakaipa chinogona kuburitsa nharaunda nharaunda dzinokanganisa kuuraya flatpak uye kuita chero kodhi kudivi reMubati.
Iyo flatpak-chikamu-rubatsiro rwekubatsira (org.freedesktop.flatpakal ndiani anopinda flatpak-spawn -host) inoitirwa kupa mashandisirwo akaratidzirwa kunyanya iko kugona kwekupokana kodhi pane iyo Yekugamuchira system, saka haisi kukuvadzwa iyo inovimbawo nharaunda nharaunda dzakapihwa kwairi.
Kupa mukana weiyo org.freedesktop.Flatpak sevhisi inoratidza kuti kunyorera kunovimbika uye kunogona kuita zviri pamutemo kodhi yekumanikidza kunze kwebhokisi rejecha. Semuenzaniso, iyo GNOME Builder inosanganiswa nharaunda yekuvandudza inoratidzirwa seyakavimbika nenzira iyi.
Flatpak portal's D-Bus sevhisi inobvumidza kunyorera muFlatpak sandbox kuvhura yavo tambo mubhokisi rejecha idzva, kungave iine imwecheteyo chengetedzo marongero seanofona kana neanoremedza ekuchengetedza machengetedzo.
Muenzaniso weizvi, ndeyekuti zvinotaurwa kuti mumabhurawuza ewebhu akarongedzwa neFlatpak se Chromium, kutanga tambo iyo ichagadzirisa isina kuvimbika webhu zvemukati uye ichipa iyo tambo iyo inodzora zvakanyanya sandbox kupfuura iyo bhurawuza pachayo.
Mumashanduro asinganetsi, Flatpak portal sevhisi inopfuudza nharaunda nharaunda dzakatsanangurwa neanodana kune asiri-sandboxed maitiro pane inomiririra system, uye kunyanya kune flatpak run command iyo inoshandiswa kuvhura iyo nyowani yechiitiko cheiyo sandbox.
Chikumbiro chakashata kana chakakanganiswa chePlppak chinogona kumisikidza nharaunda nharaunda dzinovimbwa neiyo flatpak run raira uye woishandisa kuita kodhi yekumanikidza isiri mubhokisi rejecha.
Izvo zvinofanirwa kuyeukwa kuti vazhinji flatpak vanogadzira vanodzima kusarudzika maitiro kana kupa kuzere kuzere kune dhairekitori repamba.
Semuenzaniso, iyo GIMP, VSCodium, PyCharm, Octave, Inkscape, Audacity, uye VLC mapakeji anouya aine mashoma ekuzvimiririra maitiro. Kana mapakeji ane mukana wekuwana dhairekitori repamba akagadziriswa, kunyangwe paine tag yacho «sandboxed»Mutsananguro yepakeji, anorwisa anoda kugadzirisa iyo ~ / .bashrc faira kuti aite kodhi yake.
Imwe nyaya yakaparadzana ndeye kudzora shanduko yemapakeji uye kuvimba nevakagadzira mapakeji, avo vanowanzo kuve vasina kubatana neprojekiti hombe kana kugoverwa.
Solution
Zvinotaurwa kuti dambudziko rakagadziriswa muFlatpak shanduro 1.10.0 uye 1.8.5, asi gare gare shanduko inodzoreredza yakaonekwa mukudzokorodza kwakakonzera matambudziko ekusanganisa pane masystem ane bubblewrap rutsigiro rwakaiswa neiyo setuid mureza.
Mushure meizvozvo kudzokororwa kwataurwa kwakagadziriswa mushanduro 1.10.1 (apo iyo yekuvandudza yebazi re 1.8.x isati yavapo).
Finalmente kana iwe uchifarira kuziva zvakawanda nezvazvo Nezve iyo yekushomeka mushumo, unogona kutarisa izvo zvinyorwa Mune inotevera chinongedzo.