A shell weakness occurs when a program enables an attacker to execute unexpected commands on the operating system.
This causes a new program to execute and is difficult to use safely.
The highlighted line of code below is the trigger point of this particular Alpine 3.9 shell weakness.
* reset, in multiples of LZX frames (32678 * bytes), e.g. a value of 2 indicates the input * stream resets after every 65536 output bytes. * A value of 0 indicates that the bitstream never * resets, such as in CAB LZX streams. * @param input_buffer_size the number of bytes to use as an input * bitstream buffer. * @param output_length the length in bytes of the entirely * decompressed output stream, if known in * advance. It is used to correctly perform the * Intel E8 transformation, which must stop 6 * bytes before the very end of the * decompressed stream. It is not otherwise used * or adhered to. If the full decompressed * length is known in advance, set it here. * If it is NOT known, use the value 0, and call * lzxd_set_output_length() once it is * known. If never set, 4 of the final 6 bytes * of the output stream may be incorrect. * @param is_delta should be zero for all regular LZX data, * non-zero for LZX DELTA encoded data. * @return a pointer to an initialised lzxd_stream structure, or NULL if * there was not enough memory or parameters to the function were wrong. */ extern struct lzxd_stream *lzxd_init(struct mspack_system *system, struct mspack_file *input, struct mspack_file *output, int window_bits, int reset_interval, int input_buffer_size, off_t output_length, char is_delta); /* see description of output_length in lzxd_init() */ extern void lzxd_set_output_length(struct lzxd_stream *lzx, off_t output_length); /** * Reads LZX DELTA reference data into the window and allows * lzxd_decompress() to reference it. * * Call this before the first call to lzxd_decompress(). * @param lzx the LZX stream to apply this reference data to * @param system an mspack_system implementation to use with the * input param. Only read() will be called. * @param input an input file handle to read reference data using * system->read(). * @param length the length of the reference data. Cannot be longer * than the LZX window size.