alpine 3.8
crypto weakness #598

4

Weakness Breakdown


Definition:

This weakness involves creating non-standard or non-tested algorithms, using weak algorithms or applying cryptographic algorithms incorrectly. Algorithms that were once considered safe are commonly later found to be unsafe, as the algorithms were broken.

Warning code(s):

The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment.

File Name:

innoextract/src/innoextract-1.7/src/stream/chunk.cpp

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.8 crypto weakness.

  */
class inno_arc4_crypter : public boost::iostreams::multichar_input_filter {
	
private:
	
	typedef boost::iostreams::multichar_input_filter base_type;
	
public:
	
	typedef base_type::char_type char_type;
	typedef base_type::category category;
	
	inno_arc4_crypter(const char * key, size_t length) {
		
		arc4.init(key, length);
		arc4.discard(1000);
		
	}
	
	template <typename Source>
	std::streamsize read(Source & src, char * dest, std::streamsize n) {
		
		std::streamsize length = boost::iostreams::read(src, dest, n);
		if(length != EOF) {
			arc4.crypt(dest, dest, size_t(n));
		}
		
		return length;
	}
	
private:
	
	crypto::arc4 arc4;
	
};

#endif // INNOEXTRACT_HAVE_ARC4

} // anonymous namespace

bool chunk::operator<(const chunk & o) const {
	
	if(first_slice != o.first_slice) {
		return (first_slice < o.first_slice);
	} else if(offset != o.offset) {
		return (offset < o.offset);
	} else if(size != o.size) {
		return (size < o.size);
	} else if(compression != o.compression) {
		return (compression < o.compression); 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.