alpine 3.8
shell weakness #21

4

Weakness Breakdown


Definition:

A shell weakness occurs when a program enables an attacker to execute unexpected commands on the operating system.

Warning code(s):

This causes a new program to execute and is difficult to use safely.

File Name:

pth/src/pth-2.0.7/pth_syscall.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.8 shell weakness.

 **  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
**  Lesser General Public License for more details.
**
**  You should have received a copy of the GNU Lesser General Public
**  License along with this library; if not, write to the Free Software
**  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
**  USA, or contact Ralf S. Engelschall <rse@engelschall.com>.
**
**  pth_syscall.c: Pth direct syscall support
*/
                             /* ''Free Software: generous programmers
                                  from around the world all join
                                  forces to help you shoot yourself
                                  in the foot for free.''
                                                 -- Unknown         */
/*
 * Prevent system includes from declaring the syscalls in order to avoid
 * prototype mismatches. In theory those mismatches should not happen
 * at all, but slight (but still compatible) differences (ssize_t vs.
 * size_t, etc) can lead to a compile-time failure (although run-time
 * would be ok). Hence protect ourself from this situation.
 */
#define fork          __pth_sys_fork
#define waitpid       __pth_sys_waitpid
#define system        __pth_sys_system
#define nanosleep     __pth_sys_nanosleep
#define usleep        __pth_sys_usleep
#define sleep         __pth_sys_sleep
#define sigprocmask   __pth_sys_sigmask
#define sigwait       __pth_sys_sigwait
#define select        __pth_sys_select
#define pselect       __pth_sys_pselect
#define poll          __pth_sys_poll
#define connect       __pth_sys_connect
#define accept        __pth_sys_accept
#define read          __pth_sys_read
#define write         __pth_sys_write
#define readv         __pth_sys_readv
#define writev        __pth_sys_writev
#define recv          __pth_sys_recv
#define send          __pth_sys_send
#define recvfrom      __pth_sys_recvfrom
#define sendto        __pth_sys_sendto
#define pread         __pth_sys_pread
#define pwrite        __pth_sys_pwrite

/* include the private header and this way system headers */
#include "pth_p.h"

/* some exported variables for object layer checks */ 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.