Kulungiswe iziphazamisi ezimbili ku-Flatpak ngezibuyekezo ezintsha zokulungisa

Darkcrizt

Imizuzu ye-4

Ukuba sengozini

Uma exhashazwa, lawa maphutha angavumela abahlaseli ukuthi bathole ukufinyelela okungagunyaziwe kulwazi olubucayi noma ngokuvamile babangele izinkinga.

muva nje kukhishwe izibuyekezo zokulungisa yekhithi yamathuluzi I-Flatpak ngezinguqulo ezihlukene 1.14.4, 1.12.8, 1.10.8 kanye no-1.15.4, esezivele zitholakala futhi ezixazulula ubungozi obubili.

Kulabo abangajwayelene neFlatpak, kufanele wazi ukuthi lokhu kwenza ukuthi abathuthukisi bezinhlelo bakwazi ukwenza lula ukusatshalaliswa kwezinhlelo zabo ezingafakwanga kumakhosombe okusabalalisa avamile ngokulungiselela isiqukathi sendawo yonke ngaphandle kokudala izakhiwo ezihlukene zokusabalalisa ngakunye.

Kubasebenzisi abaqaphela ukuphepha, iFlatpak ivumela uhlelo lokusebenza olungabazekayo ukuthi lusebenze esitsheni, enikeza ukufinyelela kuphela emisebenzini yenethiwekhi namafayela omsebenzisi ahlotshaniswa nohlelo lokusebenza. Kubasebenzisi abanentshisekelo yokuthi yini entsha, i-Flatpak ibavumela ukuthi bafake uhlolo lwakamuva nezinguqulo ezizinzile zezinhlelo zokusebenza ngaphandle kokwenza izinguquko ohlelweni.

Umehluko oyinhloko phakathi kwe-Flatpak ne-Snap ukuthi i-Snap isebenzisa izingxenye eziyinhloko zemvelo yesistimu kanye nokuhlukaniswa okusekelwe ekuhlungeni ucingo lwesistimu, kuyilapho i-Flatpak idala isitsha sesistimu esihlukile futhi isebenza ngamasuite amakhulu wesikhathi sokusebenza, ihlinzeka ngamaphakheji ajwayelekile esikhundleni samaphakheji njengokuncika.

Mayelana nezimbungulu ezitholwe eFlatpak

Kulezi zibuyekezo ezintsha zokuphepha, ikhambi linikezwa amaphutha amabili atholiwe, enye yazo etholwe ngu-Ryan Gonzalez (CVE-2023-28101) ithole ukuthi abanakekeli abanonya bohlelo lokusebenza lwe-Flatpak bangakwazi ukukhohlisa noma bafihle lesi sibonisi semvume ngokucela izimvume ezifaka amakhodi okulawula ukuphela kwe-ANSI noma ezinye izinhlamvu ezingaphrinteki.

Lokhu kwalungiswa ku-Flatpak 1.14.4, 1.15.4, 1.12.8 kanye no-1.10.8 ngokubonisa izinhlamvu ezingaphrintiwe eziphunyukile (\xXX, \uXXXX, \UXXXXXXXXXX) ukuze zingashintshi ukuziphatha kwetheminali, futhi nangokuzama. izinhlamvu ezingaphrinteki ezimweni ezithile njengezingavumelekile (azivunyelwe).

Lapho ufaka noma ubuyekeza uhlelo lokusebenza lwe-Flatpak usebenzisa i-flatpak CLI, umsebenzisi ngokuvamile uboniswa izimvume ezikhethekile uhlelo olusha olunazo kumethadatha yalo, ukuze athathe isinqumo esinolwazi mayelana nokuthi avumele yini ukufakwa kwalo.

Lapho ukululama a izimvume zohlelo lokusebenza ukuze ziboniswe kumsebenzisi, isixhumi esibonakalayo esibonakalayo siyaqhubeka ukuba nesibopho sokuhlunga noma ukubalekela noma yiziphi izinhlamvu lokho anencazelo ekhethekile emitatsheni yakho ye-GUI.

Ngokwengxenye kusukela encazelweni yokuba sengoziniBabelana nathi ngokulandelayo:

  • I-CVE-2023-28100: ikhono lokukopisha nokunamathisela umbhalo kusigcinalwazi sokufakwayo kwekhonsoli ebonakalayo usebenzisa i-TIOCLINUX ioctl manipulation lapho ufaka iphakheji ye-Flatpak eyakhiwe umhlaseli. Isibonelo, ubungozi bungase busetshenziswe esiteji sokwethulwa kwemiyalelo yekhonsoli engafanele ngemva kokuqedwa kwenqubo yokufaka iphakheji yenkampani yangaphandle. Inkinga ibonakala kuphela kukhonsoli yakudala (/dev/tty1, /dev/tty2, njll.) futhi ayithinti izikhathi ku-xterm, gnome-terminal, Konsole namanye amatheminali ezithombe. Ukuba sengozini akuqondile ku-flatpak futhi kungasetshenziswa ukuhlasela ezinye izinhlelo zokusebenza, isibonelo, ubungozi obufanayo ngaphambilini butholakale obuvunyelwe ukushintsha uhlamvu ngesixhumi esibonakalayo se-TIOCSTI ioctl ku-/bin/ sandbox kanye ne-snap.
  • I-CVE-2023-28101- Amandla okusebenzisa ukulandelana kokuphunyuka ohlwini lwezimvume kumethadatha yephakeji ukufihla ulwazi mayelana nezimvume ezingeziwe eziceliwe eziboniswa kutheminali ngesikhathi sokufakwa kwephakheji noma ukuthuthukisa ngesixhumi esibonakalayo somugqa womyalo. Umhlaseli angasebenzisa lobu bungozi ukuze akhohlise abasebenzisi mayelana nezimvume ezisetshenziswe kuphakheji. Kushiwo ukuthi ama-GUI e-libflatpak, njenge-GNOME Software kanye ne-KDE Plasma Discover, awathintwa ngokuqondile kulokhu.

Ekugcineni, kushiwo ukuthi njengendlela yokusebenza ungasebenzisa i-GUI efana ne-GNOME Software Center esikhundleni somugqa womyalo.
isixhumi esibonakalayo, noma futhi kuyanconywa ukuthi ufake kuphela izinhlelo zokusebenza ezinakekeli wazo obathembayo.

Uma ungathanda ukwazi okwengeziwe ngayo, ungathintana ne- imininingwane kusixhumanisi esilandelayo.


Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Ubhekele imininingwane: Miguel Ángel Gatón
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.