alpine 3.8
crypto weakness #5


Weakness Breakdown


This weakness involves creating non-standard or non-tested algorithms, using weak algorithms or applying cryptographic algorithms incorrectly. Algorithms that were once considered safe are commonly later found to be unsafe, as the algorithms were broken.

Warning code(s):

The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment.

File Name:



The highlighted line of code below is the trigger point of this particular Alpine 3.8 crypto weakness.

    if (!pwd) {
      // No such user

   if (*pwd->pw_passwd != '\0') {
      const char *passwd = pwd->pw_passwd;
      const char *crypt_pw;

      // looks like a shadow password, so use it instead
      if (strcmp(passwd, "x") == 0) {
         struct spwd *sp = getspnam(userName);
         if (sp) {
            passwd = sp->sp_pwdp;

      crypt_pw = crypt(password, passwd);
      if (!crypt_pw || (strcmp(crypt_pw, passwd) != 0)) {
         // Incorrect password

      // Clear out crypt()'s internal state, too.
      crypt("glurp", passwd);
#endif /* !USE_PAM */

   return VGAuth_CreateHandleForUsername(ctx, userName,
                                         NULL, handle);

 * VGAuthInitAuthenticationPlatform --                                   */ /**
 * Initializes any POSIX-specific authentication resources.
 * @param[in]  ctx        The VGAuthContext to initialize.
 * @return VGAUTH_E_OK on success, VGAuthError on failure

VGAuthInitAuthenticationPlatform(VGAuthContext *ctx)

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.