Mitigate Baron SameEdit (CVE-2021-3156) vulnerability

alpine 3.7
misc weakness #427

4

Weakness Breakdown


Definition:

The software specifies permissions for a security-critical resource in a way that allows the resource to be read or modified by unintended actors.

Warning code(s):

This function is obsolete and not portable. It was in SUSv2 but removed by POSIX.2. What it does exactly varies considerably between systems, particularly in where its prompt is displayed and where it gets its data.

File Name:

netatalk/src/netatalk-3.1.11/bin/afppasswd/afppasswd.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.7 misc weakness.

 	  fprintf(stderr, "Your password is disabled. Please see your administrator.\n");
	  break;
	}
	goto found_entry;
      }
    }
    pos = ftell(fp);
    memset(buf, 0, sizeof(buf));
  }

  if (flags & OPT_ADDUSER) {
    strcpy(buf, name);
    strcat(buf, FORMAT);
    p = strchr(buf, ':') + 1;
    fwrite(buf, strlen(buf), 1, fp);
  } else {
    fprintf(stderr, "afppasswd: can't find %s in %s\n", name, path);
    err = -1;
    goto update_done;
  }

found_entry:
  /* need to verify against old password */
  if ((flags & OPT_ISROOT) == 0) {
    passwd = getpass("Enter OLD AFP password: ");
    convert_passwd(p, NULL, keyfd);
    if (strncmp(passwd, p, PASSWDLEN)) {
      fprintf(stderr, "afppasswd: invalid password.\n");
      err = -1;
      goto update_done;
    }
  }

  /* new password */
  passwd = getpass("Enter NEW AFP password: ");
  memcpy(password, passwd, sizeof(password));
  password[PASSWDLEN] = '\0';
#ifdef USE_CRACKLIB
  if (!(flags & OPT_NOCRACK)) {
    if (passwd = FascistCheck(password, _PATH_CRACKLIB)) { 
        fprintf(stderr, "Error: %s\n", passwd);
        err = -1;
        goto update_done;
    } 
  }
#endif /* USE_CRACKLIB */

  passwd = getpass("Enter NEW AFP password again: ");
  if (strcmp(passwd, password) == 0) {
     struct flock lock; 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.