alpine 3.8
shell weakness #13

4

Weakness Breakdown


Definition:

A shell weakness occurs when a program enables an attacker to execute unexpected commands on the operating system.

Warning code(s):

This causes a new program to execute and is difficult to use safely.

File Name:

icinga2/src/icinga2-2.8.4/lib/base/utility.cpp

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.8 shell weakness.

 		while (fgets(line, sizeof(line), fp) != NULL)
			msgbuf << line;
		int status = pclose(fp);
		if (WEXITSTATUS(status) == 0) {
			if (platformName)
				*platformName = msgbuf.str();
		}
	}

	fp = popen("type lsb_release >/dev/null 2>&1 && lsb_release -s -r 2>&1", "r");

	if (fp != NULL) {
		std::ostringstream msgbuf;
		char line[1024];
		while (fgets(line, sizeof(line), fp) != NULL)
			msgbuf << line;
		int status = pclose(fp);
		if (WEXITSTATUS(status) == 0) {
			if (platformVersion)
				*platformVersion = msgbuf.str();
		}
	}

	/* OS X */
	fp = popen("type sw_vers >/dev/null 2>&1 && sw_vers -productName 2>&1", "r");

	if (fp != NULL) {
		std::ostringstream msgbuf;
		char line[1024];
		while (fgets(line, sizeof(line), fp) != NULL)
			msgbuf << line;
		int status = pclose(fp);
		if (WEXITSTATUS(status) == 0) {
			String info = msgbuf.str();
			info = info.Trim();

			if (platformName)
				*platformName = info;
		}
	}

	fp = popen("type sw_vers >/dev/null 2>&1 && sw_vers -productVersion 2>&1", "r");

	if (fp != NULL) {
		std::ostringstream msgbuf;
		char line[1024];
		while (fgets(line, sizeof(line), fp) != NULL)
			msgbuf << line;
		int status = pclose(fp);
		if (WEXITSTATUS(status) == 0) { 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.