mva nje babe uhlaziyo olulungisiweyo lukhutshiwe yekhithi yesixhobo Flatpak kwiinguqulelo ezahlukeneyo 1.14.4, 1.12.8, 1.10.8 kunye 1.15.4, esele zikhona kwaye ezisombulula ubuthathaka obumbini.
Kwabo bangaqhelekanga ngeFlatpak, kuya kufuneka uyazi ukuba le yenza ukuba abaphuhlisi bezicelo benze lula ukuhanjiswa kweenkqubo zabo ezingaqukwanga kwiindawo zokugcina ukuhanjiswa rhoqo ngokulungiselela isikhongozeli jikelele ngaphandle kokudala ulwakhiwo olwahlukileyo kunikezelo ngalunye.
Kubasebenzisi abaqaphela ukhuseleko, iFlatpak ivumela usetyenziso oluthandabuzekayo ukuba luqhube kwisikhongozeli, ukunika ufikelelo kuphela kwimisebenzi yenethiwekhi kunye neefayile zomsebenzisi ezinxulumene nesicelo. Kubasebenzisi abanomdla kwinto entsha, iFlatpak ibavumela ukuba bafake uvavanyo lwamva nje kunye neenguqulelo ezizinzileyo zezicelo ngaphandle kokwenza utshintsho kwinkqubo.
Umahluko ophambili phakathi kweFlatpak kunye ne-Snap kukuba i-Snap isebenzisa iinqununu zenkqubo yendalo engqongileyo kunye nenkqubo yokufowunelwa kwe-filtering-based isolation, ngelixa i-Flatpak idala i-container yenkqubo eyahlukileyo kwaye isebenze kunye nee-suites ezinkulu ze-runtime, inikezela iipakethi eziqhelekileyo endaweni yeephakheji njengokuxhomekeka.
Malunga neebhugi ezifunyenwe kwiFlatpak
Kolu hlaziyo olutsha lokhuseleko, isisombululo sinikwe kwiimpazamo ezimbini ezichongiweyo, enye yazo yafunyanwa nguRyan Gonzalez (CVE-2023-28101) yafumanisa ukuba abagcini abakhohlakeleyo besicelo seFlatpak banokuphatha okanye bafihle le mvume yokubonisa ngokucela iimvume ezibandakanya iikhowudi zolawulo lwe-terminal ye-ANSI okanye ezinye iimpawu ezingashicileliyo.
Oku kwalungiswa kwiFlatpak 1.14.4, 1.15.4, 1.12.8 kunye 1.10.8 ngokubonisa abasindayo abalinganiswa abangashicileliyo (\xXX, \uXXXX, \UXXXXXXXXX) ukuze bangatshintshi indlela yokuziphatha, kwaye nangokuzama. amagama angaprintekiyo kwimixholo ethile njengengasebenziyo (ayivumelekanga).
Xa ufaka okanye uhlaziya i-app ye-Flatpak usebenzisa i-CLI ye-flatpak, umsebenzisi udla ngokuboniswa iimvume ezikhethekileyo usetyenziso olutsha olunalo kwimethadatha yalo, ngoko ke banokwenza isigqibo esinolwazi malunga nokuba bavumele ukufakela kwayo.
Xa uchacha a iimvume zesicelo zokubonisa kumsebenzisi, ujongano lomzobo luyaqhubeka ukuba noxanduva lokucoca okanye ukubaleka nabaphi na abalinganiswa zinentsingiselo ekhethekileyo kwiilayibrari zakho ze-GUI.
Inxalenye ukusuka kwinkcazo yobuthathakaBabelana nathi ngoku kulandelayo:
- I-CVE-2023-28100: ukukwazi ukukopa nokuncamathisela okubhaliweyo kwisithinteli segalelo leconsole ngokusetyenziswa kwe-TIOCLINUX ioctl yobuqhophololo xa ufaka iphakheji yomhlaseli eyenziwe yeFlatpak. Umzekelo, ukuba sesichengeni kunokusetyenziselwa ukuqaliswa kwemiyalelo yekhonsoli engafanelekanga emva kokuba inkqubo yofakelo lwephakheji yomntu wesithathu igqityiwe. Ingxaki ibonakala kuphela kwi-classic virtual console (/dev/tty1, /dev/tty2, njl.) kwaye ayichaphazeli iiseshini kwi-xterm, gnome-terminal, Konsole kunye nezinye iitheminali zegraphical. Ubuthathaka abungqalanga kwi-flatpak kwaye bunokusetyenziswa ukuhlasela ezinye izicelo, umzekelo, ubuthathaka obufanayo bufunyenwe ngaphambili obuvumelekileyo ukutshintshwa kweempawu nge-TIOCSTI ujongano lweoctl kwi/bin/ sandbox kunye ne-snap.
- I-CVE-2023-28101-Ukwazi ukusebenzisa ulandelelwano lokubaleka kuluhlu lweemvume kwimethadatha yepakethe ukufihla ulwazi malunga neemvume eziceliweyo eziboniswa kwi-terminal ngexesha lofakelo lwephakheji okanye uphuculo ngojongano lomgca womyalelo. Umhlaseli unokusebenzisa obu bubuthathaka ukuqhatha abasebenzisi malunga neemvume ezisetyenziswe kwiphakheji. Kukhankanyiwe ukuba ii-GUIs ze-libflatpak, ezifana ne-GNOME Software kunye ne-KDE Plasma Discover, azichatshazelwa ngokuthe ngqo koku.
Okokugqibela, kukhankanyiwe ukuba njengendlela yokusebenza ungasebenzisa i-GUI njengeZiko leSoftware ye-GNOME endaweni yomgca womyalelo.
ujongano, okanye kuyacetyiswa ukuba ufake kuphela izicelo ezibagcini obathembayo.
Ukuba unomdla wokwazi ngakumbi ngayo, ungabonisana ne iinkcukacha kwikhonkco elilandelayo.