alpine 3.7
shell weakness #37

4

Weakness Breakdown


Definition:

A shell weakness occurs when a program enables an attacker to execute unexpected commands on the operating system.

Warning code(s):

This causes a new program to execute and is difficult to use safely.

File Name:

gvfs/src/gvfs-1.34.1/daemon/pty_open.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.7 shell weakness.

 			_exit(0);

		/* Set up stdin/out/err */
		dup2(stdin_pipe[0], STDIN_FILENO);
		dup2(stdout_pipe[1], STDOUT_FILENO);
		dup2(stderr_pipe[1], STDERR_FILENO);
		close(stdin_pipe[0]);
		close(stdout_pipe[1]);
		close(stderr_pipe[1]);

		/* Reset our signals -- our parent may have done any number of
		 * weird things to them. */
		_pty_reset_signal_handlers();

		/* Outta here. */
		if (argv != NULL) {
			for (i = 0; (argv[i] != NULL); i++) ;
			args = g_malloc0(sizeof(char*) * (i + 1));
			for (i = 0; (argv[i] != NULL); i++) {
				args[i] = g_strdup(argv[i]);
			}
			execvp(command, args);
		} else {
			arg = g_strdup(command);
			execlp(command, arg, NULL);
		}

		/* Avoid calling any atexit() code. */
		_exit(0);
		g_assert_not_reached();
	}

	/*
	 * Parent
	 */
	close(stdin_pipe[0]);
	close(stdout_pipe[1]);
	close(stderr_pipe[1]);

	*child = pid;
	*stdin_fd = stdin_pipe[1];
	*stdout_fd = stdout_pipe[0];
	*stderr_fd = stderr_pipe[0];

	return (master);

 bail_fork:
	close(stderr_pipe[0]);
	close(stderr_pipe[1]);
 bail_stderr: 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.