alpine 3.8
shell weakness #32


Weakness Breakdown


A shell weakness occurs when a program enables an attacker to execute unexpected commands on the operating system.

Warning code(s):

This causes a new program to execute and is difficult to use safely.

File Name:



The highlighted line of code below is the trigger point of this particular Alpine 3.8 shell weakness.

 static char	*tty_type;		/* ptr to char [pt] denoting
					   whether it is a pty or tty */
static char	*tty_bank;		/* ptr to char [p-z] denoting
					   which bank it is */
static char	*tty_num;		/* ptr to char [0-f] denoting
					   which number it is */
char *exp_pty_slave_name;
char *exp_pty_error;

static void
char *s;		/* args to stty */
char *name;		/* name of pty */
#define MAX_ARGLIST 10240
	char buf[MAX_ARGLIST];	/* overkill is easier */
	RETSIGTYPE (*old)();	/* save old sigalarm handler */

	sprintf(buf,"%s %s > %s",STTY_BIN,s,name);
	sprintf(buf,"%s %s < %s",STTY_BIN,s,name);
	old = signal(SIGCHLD, SIG_DFL);
	signal(SIGCHLD, old);	/* restore signal handler */

int exp_dev_tty;	/* file descriptor to /dev/tty or -1 if none */
static int knew_dev_tty;/* true if we had our hands on /dev/tty at any time */

static struct winsize winsize = {0, 0};
#if defined(TIOCGSIZE) && !defined(TIOCGWINSZ)
static struct ttysize winsize = {0, 0};

exp_tty exp_tty_original;

#define GET_TTYTYPE	0
#define SET_TTYTYPE	1
static void
int request;
int fd;
		/* following are used only if request == SET_TTYTYPE */
int ttycopy;	/* if true, copy from /dev/tty */
int ttyinit;	/* if true, initialize to sane state */
char *s;	/* stty args */ 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.