alpine 3.7
misc weakness #423

4

Weakness Breakdown


Definition:

The software specifies permissions for a security-critical resource in a way that allows the resource to be read or modified by unintended actors.

Warning code(s):

This function is obsolete and not portable. It was in SUSv2 but removed by POSIX.2. What it does exactly varies considerably between systems, particularly in where its prompt is displayed and where it gets its data.

File Name:

libc0.9.32/src/uClibc-0.9.33.2/libc/unistd/getpass.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.7 misc weakness.

 
   You should have received a copy of the GNU Lesser General Public
   License along with the GNU C Library; if not, write to the Free
   Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
   02111-1307 USA.  */

#include <stdio.h>
#include <string.h>
#include <termios.h>
#include <unistd.h>

#if defined __USE_BSD || (defined __USE_XOPEN && !defined __USE_XOPEN2K)


/* It is desirable to use this bit on systems that have it.
   The only bit of terminal state we want to twiddle is echoing, which is
   done in software; there is no need to change the state of the terminal
   hardware.  */

#ifndef TCSASOFT
#define TCSASOFT 0
#endif
#define PWD_BUFFER_SIZE 256

char * getpass (const char *prompt)
{
  FILE *in, *out;
  struct termios s, t;
  int tty_changed;
  static char buf[PWD_BUFFER_SIZE];
  int nread;

  /* Try to write to and read from the terminal if we can.
     If we can't open the terminal, use stderr and stdin.  */

  out = in = fopen ("/dev/tty", "r+");
  if (in == NULL)
    {
      in = stdin;
      out = stderr;
    }
  else
    {
      /* Disable buffering for read/write FILE to prevent problems with
       * fseek and buffering for read/write auto-transitioning. */
      setvbuf(in, NULL, _IONBF, 0);
    }

  /* Turn echoing off if it is on now.  */
 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.