Buffer overflows are one of the most well-known software vulnerabilities. Even though most developers know what buffer overflows are, attacks against the vulnerabilities are common in both legacy and newer applications. A classic buffer overflow exploit begins with the attacker sending data to a program, which it then stores in an undersized stack buffer. Besides stack buffer overflows, other kinds of buffer overflows include heap overflows, off-by-one errors and many others. Learn more about buffer overflows on OWASP attack index.
The highlighted line of code below is the trigger point of this particular Alpine 3.7 buffer weakness.
# if !@HAVE_DECL_GETLINE@ _GL_FUNCDECL_SYS (getline, ssize_t, (char **lineptr, size_t *linesize, FILE *stream) _GL_ARG_NONNULL ((1, 2, 3))); # endif _GL_CXXALIAS_SYS (getline, ssize_t, (char **lineptr, size_t *linesize, FILE *stream)); # endif # if @HAVE_DECL_GETLINE@ _GL_CXXALIASWARN (getline); # endif #elif defined GNULIB_POSIXCHECK # undef getline # if HAVE_RAW_DECL_GETLINE _GL_WARN_ON_USE (getline, "getline is unportable - " "use gnulib module getline for portability"); # endif #endif /* It is very rare that the developer ever has full control of stdin, so any use of gets warrants an unconditional warning; besides, C11 removed it. */ #undef gets #if HAVE_RAW_DECL_GETS && !defined __cplusplus _GL_WARN_ON_USE (gets, "gets is a security hole - use fgets instead"); #endif #if @GNULIB_OBSTACK_PRINTF@ || @GNULIB_OBSTACK_PRINTF_POSIX@ struct obstack; /* Grow an obstack with formatted output. Return the number of bytes added to OBS. No trailing nul byte is added, and the object should be closed with obstack_finish before use. Upon memory allocation error, call obstack_alloc_failed_handler. Upon other error, return -1. */ # if @REPLACE_OBSTACK_PRINTF@ # if !(defined __cplusplus && defined GNULIB_NAMESPACE) # define obstack_printf rpl_obstack_printf # endif _GL_FUNCDECL_RPL (obstack_printf, int, (struct obstack *obs, const char *format, ...) _GL_ATTRIBUTE_FORMAT_PRINTF (2, 3) _GL_ARG_NONNULL ((1, 2))); _GL_CXXALIAS_RPL (obstack_printf, int, (struct obstack *obs, const char *format, ...)); # else # if !@HAVE_DECL_OBSTACK_PRINTF@ _GL_FUNCDECL_SYS (obstack_printf, int, (struct obstack *obs, const char *format, ...) _GL_ATTRIBUTE_FORMAT_PRINTF (2, 3) _GL_ARG_NONNULL ((1, 2)));