alpine 3.9
shell weakness #10

4

Weakness Breakdown


Definition:

A shell weakness occurs when a program enables an attacker to execute unexpected commands on the operating system.

Warning code(s):

This causes a new program to execute and is difficult to use safely.

File Name:

cabextract/src/cabextract-1.9/mspack/cabd.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.9 shell weakness.

   case cffoldCOMPTYPE_NONE:    noned_free((struct noned_state *) self->d->state);   break;
  case cffoldCOMPTYPE_MSZIP:   mszipd_free((struct mszipd_stream *) self->d->state);  break;
  case cffoldCOMPTYPE_QUANTUM: qtmd_free((struct qtmd_stream *) self->d->state);    break;
  case cffoldCOMPTYPE_LZX:     lzxd_free((struct lzxd_stream *) self->d->state);    break;
  }
  self->d->decompress = NULL;
  self->d->state      = NULL;
}

/***************************************
 * CABD_SYS_READ, CABD_SYS_WRITE
 ***************************************
 * cabd_sys_read is the internal reader function which the decompressors
 * use. will read data blocks (and merge split blocks) from the cabinet
 * and serve the read bytes to the decompressors
 *
 * cabd_sys_write is the internal writer function which the decompressors
 * use. it either writes data to disk (self->d->outfh) with the real
 * sys->write() function, or does nothing with the data when
 * self->d->outfh == NULL. advances self->d->offset
 */
static int cabd_sys_read(struct mspack_file *file, void *buffer, int bytes) {
  struct mscab_decompressor_p *self = (struct mscab_decompressor_p *) file;
  unsigned char *buf = (unsigned char *) buffer;
  struct mspack_system *sys = self->system;
  int avail, todo, outlen, ignore_cksum, ignore_blocksize;

  ignore_cksum = self->param[MSCABD_PARAM_SALVAGE] ||
    (self->param[MSCABD_PARAM_FIXMSZIP] && 
     ((self->d->comp_type & cffoldCOMPTYPE_MASK) == cffoldCOMPTYPE_MSZIP));
  ignore_blocksize = self->param[MSCABD_PARAM_SALVAGE];

  todo = bytes;
  while (todo > 0) {
    avail = self->d->i_end - self->d->i_ptr;

    /* if out of input data, read a new block */
    if (avail) {
      /* copy as many input bytes available as possible */
      if (avail > todo) avail = todo;
      sys->copy(self->d->i_ptr, buf, (size_t) avail);
      self->d->i_ptr += avail;
      buf  += avail;
      todo -= avail;
    }
    else {
      /* out of data, read a new block */

      /* check if we're out of input blocks, advance block counter */
      if (self->d->block++ >= self->d->folder->base.num_blocks) { 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.