I-cURL yiprojekthi yesoftware ebandakanya ithala leencwadi kunye netoliki yomyalelo ejolise kudluliselo lwefayile.
Daniel Stenberg (umbhali weprojekthi ye-cURL) esandula kubhengezwa ngeposi blog, ulwazi malunga ubuthathaka obuchongiwe kubo into eluncedo ukufumana kunye nokuthumela idatha kwinethiwekhi curl kunye nelayibrari ye-libcurl.
Kukhankanyiwe ukuba sesichengeni (sele kuluhlu phantsi kweCVE-2023-38545) kungenxa yegciwane kwikhowudi yesisombululo segama lenginginya phambi kokufikelela kwi-SOCKS5 proxy.
I-SOCKS5 yiprothokholi yommeli. Yindlela elandelwayo elula yokuseta unxibelelwano lwenethiwekhi ngokusebenzisa "umrhwebi" ozinikeleyo. Umzekelo, iprotocol iqhele ukusetyenziswa xa kusetwa unxibelelwano ngeTor, kodwa nokufikelela kwi-Intanethi kwimibutho nakwiinkampani.
I-SOCKS5 ineendlela ezimbini ezahlukeneyo zokusombulula igama lomninimzi. Mhlawumbi umxhasi ulungisa igama lenginginya ekuhlaleni kwaye adlule indawo yokufikela njengedilesi esonjululweyo, okanye umxhasi ugqithise igama lenginginya eligqibeleleyo kummeli kwaye avumele ummeli ukuba asombulule umamkeli ekude.
Ngokunjalo ukusilela inokubangela ukuphuphuma kwesithinteli kunye nokwenza umhlaseli-kwicala ikhowudi yeklayenti xa ufikelela kwiseva yeHTTPS elawulwa ngumhlaseli nge-curl eluncedo okanye isicelo esisebenzisa i-libcurl. kodwa ingxaki ikhona kuphela ukuba ufikelelo usebenzisa i-SOCKS5 proxy yenziwe kwi-curl. Xa ufikelela ngokuthe ngqo ngaphandle kwe-proxy, ubuthathaka akubonakali.
Umnini wesiza ekufikelelwe kuso nge-curl nge-SOCKS5 proxy uchazwa njengokwaziyo uku:
Qalisa ukuphuphuma kwesikhuseli secala lomxhasi ngokubuyisela isicelo sokwalathisa kwakhona ikhowudi (HTTP 30x) kunye nokuseta "Indawo:" okubhalwe ngasentla kwi-URL enegama lenginginya elinobungakanani obusuka kwi-16 ukuya kwi-64 KB (16 KB lolona bungakanani bukhulu). ukuphuphuma kwi-buffer eyabiweyo kunye ne-65 KB ngobona bude buvunyelweyo begama lenginginya kwi-URL).
Ukuba isicelo solwalathiso lwenziwe lwasebenza kuqwalaselo lwe-libcurl kwaye i-SOCKS5 proxy esetyenzisiweyo icotha ngokwaneleyo, ngoko igama lenginginya elide liza kubhalwa kwisithinteli esincinci, ngokucacileyo sobukhulu obuncinci.
Kwiposti yakhe yebhlog, UDaniel Stenberg ukhankanye ukuba sesichengeni kuhlala kungabonwa kangangeentsuku ezili-1315. Ikwathi i-41% ye-vulnerabilities echongiweyo ngaphambili kwi-curl mhlawumbi ibinokuphetshwa ukuba i-curl ibibhalwe ngolwimi olukhuselekileyo kwimemori, kodwa akukho zicwangciso zokuphinda ubhale i-curl ngolunye ulwimi kwixesha elizayo.
Ukuba sesichengeni kuchaphazela ikakhulu usetyenziso olusekwe kwi-libcurl kwaye ibonakala kusetyenziso lwe-curl kuphela xa usebenzisa "-umyinge-umyinge" ukhetho ngexabiso elingaphantsi kwe-65541, ekubeni i-libcurl yabela i-buffer ye-16 KB ngokungagqibekanga kunye ne-100 KB kwi-curl, kodwa lo bungakanani butshintsha ngokuxhomekeke kwixabiso " -Izinga lomda” ipharamitha.
Kukhankanyiwe ukuba igama lomkhosi lifikelela kuma-256 oonobumba, i-curl ngokukhawuleza idlulisela igama kwi-SOCKS5 proxy ukuze isonjululwe, kwaye ukuba igama lingaphezulu koonobumba abangama-255, itshintshela kwisicombululi sendawo kwaye igqithise idilesi esele ichaziwe kwi-SOCKS5. . Ngenxa yegciwane kwikhowudi, iflegi ebonisa imfuno yesisombululo sendawo inokumiselwa kwixabiso elingachanekanga ngexesha lothethathethwano olucothayo loqhagamshelwano olungaphezulu kwe-SOCKS5, ekhokelela ekubeni igama elide lomamkeli libhalelwe kwisithinteli esinikezelweyo ngokulindeleka kokugcina iIP. idilesi okanye igama, hayi ukuba ngaphezulu koonobumba abangama-255.
Okokugqibela, kuyakhankanywa ukuba ukuba sesichengeni kwalungiswa kwi-curl version 8.4.0 kwaye njengamanyathelo okuphucula ukhuseleko lwesiseko sekhowudi, kucetywayo ukwandisa izixhobo zokuvavanya ikhowudi kunye nokusebenzisa ngokusebenzayo ukuxhomekeka okubhalwe kwiilwimi zeprogram eziqinisekisa ukusebenza ngokukhuselekileyo ngememori. Ikwathathela ingqalelo ukubuyisela ngokuthe ngcembe iinxalenye ze-curl kunye neenketho ezibhalwe ngeelwimi ezikhuselekileyo, ezinje ngovavanyo lwe-Hyper HTTP backend ephunyezwe kwi-Rust.
Ukuba ukhona unomdla wokwazi ngakumbi ngayo, ungajonga iinkcukacha Kule khonkco ilandelayo.