alpine 3.9
crypto weakness #5


Weakness Breakdown


This weakness involves creating non-standard or non-tested algorithms, using weak algorithms or applying cryptographic algorithms incorrectly. Algorithms that were once considered safe are commonly later found to be unsafe, as the algorithms were broken.

Warning code(s):

The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment.

File Name:



The highlighted line of code below is the trigger point of this particular Alpine 3.9 crypto weakness.

		    if (*cp == ':') {	// :passwd[:adminwd]
			for (base = ++cp; *cp && *cp != ':'; cp++)
			if (*cp == ':') {
			    passwd = fxStr(base, cp-base);
			    adminwd = cp+1;
			} else
			    passwd = base;
		    } else
			passwd = "";	// no password required
		return (true);
    passwd = "*";
    return (false);

HylaFAXServer::checkpasswdHosts (const char* pass)
    if (strcmp(crypt(pass,passwd),passwd) == 0)
        return true;

    return false;

fxDECLARE_PtrKeyDictionary(IDCache, u_int, fxStr)
fxIMPLEMENT_PtrKeyObjValueDictionary(IDCache, u_int, fxStr)

 * Read the host access file and fill the ID cache
 * with entries that map fax UID to name.  We pick
 * names by stripping any host part from matching
 * regex's and by mapping ''.*'' user matches to a
 * generic ''anyone'' name.
 * XXX Maybe should convert RE entries to numeric
 *     equivalent of ID to avoid funky names???
    idcache = new IDCache;
    FILE* db = fopen(fixPathname(userAccessFile), "r");
    if (db != NULL) {
	char line[1024]; 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.