Kana dzikashandiswa, zvikanganiso izvi zvinogona kubvumira vanorwisa kuti vawane mukana usina mvumo kune ruzivo rwakadzama kana kuti kazhinji kukonzera matambudziko.
munguva pfupi yapfuura kugadzirisa zvigadziriso zvaburitswa weti yekushandisa Flatpak nokuda kwezvinyorwa zvakasiyana 1.14.4, 1.12.8, 1.10.8 uye 1.15.4, izvo zvatove zviripo uye zvinogadzirisa matambudziko maviri.
Kune avo vasingazive nezveFlatpak, iwe unofanirwa kuziva kuti izvi zvinoita kuti zvive nyore kune vanogadzira kunyorera kuti vaite nyore kugoverwa kwezvirongwa zvavo iyo isingabatanidzwe mune yenguva dzose yekugovera repositori nekugadzira mudziyo wepasirese pasina kugadzira akasiyana anovaka kune yega yega kugovera.
Kune vashandisi-vanoziva nezvekuchengetedza, Flatpak inobvumira application ine mubvunzo kumhanya mumudziyo, kupa mukana chete kunetiweki mabasa uye mushandisi mafaera ane hukama nechishandiso. Kune vashandisi vanofarira chii chitsva, Flatpak inovabvumira kuisa iyo yazvino bvunzo uye yakagadzikana shanduro dzemaapplication pasina kuita shanduko kuhurongwa.
Musiyano wakakosha pakati peFlatpak neSnap ndewekuti Snap inoshandisa iyo huru system nharaunda zvikamu uye system yekufona kusefa-yakavakirwa isolation, nepo Flatpak inogadzira yakaparadzana system mudziyo uye inoshanda nemahombe ekumhanya masutu, ichipa akajairwa mapakeji panzvimbo yemapakeji sekutsamira.
Nezve mabhugi akaonekwa muFlatpak
Mune izvi zvitsva zvekuchengetedza zvigadziriso, mhinduro inopiwa kune zvikanganiso zviviri zvakaonekwa, imwe yacho yakawanikwa naRyan Gonzalez (CVE-2023-28101) yakaona kuti vagadzirisi vane hutsinye hweFlatpak application vanogona kushandura kana kuvanza kuratidzwa kwemvumo iyi nekukumbira zvibvumirano zvinosanganisira ANSI terminal control codes kana mamwe mavara asingadhindike.
Izvi zvakagadziriswa muFlatpak 1.14.4, 1.15.4, 1.12.8 uye 1.10.8 nekuratidza mavara asina kudhinda akapukunyuka (\xXX, \uXXXX, \UXXXXXXXXX) kuti asashandure maitiro ekupedzisira, uye nekuedza. mabhii asingadhindike mune mamwe mamiriro seasina kushanda (haatenderwi).
Paunenge uchiisa kana kugadzirisa app yeFlatpak uchishandisa flatpak CLI, mushandisi anowanzo kuratidzwa mvumo dzakakosha iyo app nyowani ine metadata yayo, saka vanogona kuita sarudzo ine ruzivo nezvekuti voibvumira kuisirwa.
Pakupora a mvumo yekushandisa kuratidza kumushandisi, iyo graphical interface inoenderera kuva nemhosva yekusefa kana kutiza chero mavara vane chirevo chakakosha kumaraibhurari ako eGUI.
Kune chikamu kubva kutsanangudzo yehuteraVanogovana nesu zvinotevera:
- CVE-2023-28100: kugona kukopa nekunamira mameseji muiyo virtual console yekupinza buffer kuburikidza neTIOCLINUX ioctl manipulation paunenge uchiisa inorwisa-yakagadzirwa Flatpak package. Semuyenzaniso, kusavimbika kwacho kunogona kushandiswa kuita nhanho yekumisikidzwa kweanopokana mirairo mushure mekugadzirisa kwepakeji yechitatu-bato kwapera. Dambudziko rinongoonekwa mukirasi chaiyo yekunyaradza (/dev/tty1, /dev/tty2, nezvimwewo) uye haikanganisi zvikamu mu xterm, gnome-terminal, Konsole uye mamwe graphical terminals. Kusagadzikana hakuna kujeka kune flatpak uye kunogona kushandiswa kurwisa mamwe maapplication, semuenzaniso, kusagadzikana kwakafanana kwakambowanikwa kwakabvumidzwa kutsiviwa kwemunhu kuburikidza neTIOCSTI ioctl interface mu /bin/ sandbox uye snap.
- CVE-2023-28101-Kugona kushandisa kutevedzana kwekupukunyuka mune yemvumo runyorwa mupakeji metadata kuvanza ruzivo nezve yakakumbirwa mvumo yakawedzerwa inoratidzwa muchiteshi panguva yekumisikidzwa kwepakeji kana kukwidziridza kuburikidza neyekuraira mutsara interface. Anorwisa anogona kushandisa kusazvibata uku kunyengedza vashandisi nezvemvumo inoshandiswa pasuru. Zvinonzi maGUI e libflatpak, akadai seGNOME Software uye KDE Plasma Discover, haana kukanganiswa neizvi.
Chekupedzisira, zvinonzi senge workaround unogona kushandisa GUI senge GNOME Software Center pachinzvimbo chekuraira mutsara.
interface, kana zvinokurudzirwawo kuisa maapplication ane vachengeti vaunovimba navo.
Kana iwe uchida kuziva zvakawanda nezvazvo, unogona kubvunza iyo ruzivo mune inotevera chinongedzo.