Mitigate Baron SameEdit (CVE-2021-3156) vulnerability

alpine 3.9
misc weakness #432


Weakness Breakdown


The software specifies permissions for a security-critical resource in a way that allows the resource to be read or modified by unintended actors.

Warning code(s):

This function is obsolete and not portable. It was in SUSv2 but removed by POSIX.2. What it does exactly varies considerably between systems, particularly in where its prompt is displayed and where it gets its data.

File Name:



The highlighted line of code below is the trigger point of this particular Alpine 3.9 misc weakness.

   funlockfile (out);

  call_fclose (tty);

  return buf;

#else /* W32 native */

/* Windows implementation by Martin Lambers <>,
   improved by Simon Josefsson. */

/* For PASS_MAX. */
# include <limits.h>
/* For _getch(). */
# include <conio.h>
/* For strdup(). */
# include <string.h>

# ifndef PASS_MAX
#  define PASS_MAX 512
# endif

char *
getpass (const char *prompt)
  char getpassbuf[PASS_MAX + 1];
  size_t i = 0;
  int c;

  if (prompt)
      fputs (prompt, stderr);
      fflush (stderr);

  for (;;)
      c = _getch ();
      if (c == '\r')
          getpassbuf[i] = '\0';
      else if (i < PASS_MAX)
          getpassbuf[i++] = c;

      if (i >= PASS_MAX) 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.