alpine 3.8
shell weakness #14

4

Weakness Breakdown


Definition:

A shell weakness occurs when a program enables an attacker to execute unexpected commands on the operating system.

Warning code(s):

This causes a new program to execute and is difficult to use safely.

File Name:

feh/src/feh-2.26/src/imlib.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.8 shell weakness.

 	int devnull = -1;
	char op_name[]  = "rotate";     /* message */
	char op_op[]    = "-rotate";    /* jpegtran option */
	char op_value[] = "horizontal"; /* jpegtran option's value */

	if (op == INPLACE_EDIT_FLIP) {
		sprintf(op_name,  "flip");
		sprintf(op_op,    "-flip");
		sprintf(op_value, "vertical");
	} else if (op == INPLACE_EDIT_MIRROR) {
		sprintf(op_name,  "mirror");
		sprintf(op_op,    "-flip");
	} else
		snprintf(op_value, 4, "%d", 90 * op);

	snprintf(file_str, len, "%s", filename);

	if ((pid = fork()) < 0) {
		im_weprintf(w, "lossless %s: fork failed:", op_name);
		free(file_str);
		return;
	}
	else if (pid == 0) {

		execlp("jpegtran", "jpegtran", "-copy", "all", op_op, op_value,
				"-outfile", file_str, file_str, NULL);

		weprintf("lossless %s: Is 'jpegtran' installed? Failed to exec:", op_name);
		_exit(1);
	}
	else {
		waitpid(pid, &status, 0);

		if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) {
			im_weprintf(w,
					"lossless %s: Got exitcode %d from jpegtran."
					" Commandline was: "
					"jpegtran -copy all %s %s -outfile %s %s",
					op_name, status >> 8, op_op, op_value, file_str, file_str);
			free(file_str);
			return;
		}
	}
	if ((pid = fork()) < 0) {
		im_weprintf(w, "lossless %s: fork failed while updating EXIF tags:", op_name);
	}
	else if (pid == 0) {

		/* discard normal output */
		devnull = open("/dev/null", O_WRONLY); 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.