alpine 3.7
shell weakness #8


Weakness Breakdown


A shell weakness occurs when a program enables an attacker to execute unexpected commands on the operating system.

Warning code(s):

This causes a new program to execute and is difficult to use safely.

File Name:



The highlighted line of code below is the trigger point of this particular Alpine 3.7 shell weakness.

		strbuf_addstr(&buf, file);

		if (!access(buf.buf, F_OK))
			return strbuf_detach(&buf, NULL);

		if (!*end)
		p = end + 1;

	return NULL;

static int exists_in_PATH(const char *file)
	char *r = locate_in_PATH(file);
	return r != NULL;

int sane_execvp(const char *file, char * const argv[])
	if (!execvp(file, argv))
		return 0; /* cannot happen ;-) */

	 * When a command can't be found because one of the directories
	 * listed in $ PATH is unsearchable, execvp reports EACCES, but
	 * careful usability testing (read: analysis of occasional bug
	 * reports) reveals that "No such file or directory" is more
	 * intuitive.
	 * We avoid commands with "/", because execvp will not do $ PATH
	 * lookups in that case.
	 * The reassignment of EACCES to errno looks like a no-op below,
	 * but we need to protect against exists_in_PATH overwriting errno.
	if (errno == EACCES && !strchr(file, '/'))
		errno = exists_in_PATH(file) ? EACCES : ENOENT;
	else if (errno == ENOTDIR && !strchr(file, '/'))
		errno = ENOENT;
	return -1;

static const char **prepare_shell_cmd(struct argv_array *out, const char **argv)
	if (!argv[0]) 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.