alpine 3.9
shell weakness #12

4

Weakness Breakdown


Definition:

A shell weakness occurs when a program enables an attacker to execute unexpected commands on the operating system.

Warning code(s):

This causes a new program to execute and is difficult to use safely.

File Name:

cabextract/src/cabextract-1.9/mspack/lzx.h

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.9 shell weakness.

                                      int input_buffer_size,
                                     off_t output_length,
                                     char is_delta);

/* see description of output_length in lzxd_init() */
extern void lzxd_set_output_length(struct lzxd_stream *lzx,
                                   off_t output_length);

/**
 * Reads LZX DELTA reference data into the window and allows
 * lzxd_decompress() to reference it.
 *
 * Call this before the first call to lzxd_decompress().

 * @param lzx    the LZX stream to apply this reference data to
 * @param system an mspack_system implementation to use with the
 *               input param. Only read() will be called.
 * @param input  an input file handle to read reference data using
 *               system->read().
 * @param length the length of the reference data. Cannot be longer
 *               than the LZX window size.
 * @return an error code, or MSPACK_ERR_OK if successful
 */
extern int lzxd_set_reference_data(struct lzxd_stream *lzx,
                                   struct mspack_system *system,
                                   struct mspack_file *input,
                                   unsigned int length);

/**
 * Decompresses entire or partial LZX streams.
 *
 * The number of bytes of data that should be decompressed is given as the
 * out_bytes parameter. If more bytes are decoded than are needed, they
 * will be kept over for a later invocation.
 *
 * The output bytes will be passed to the system->write() function given in
 * lzxd_init(), using the output file handle given in lzxd_init(). More than
 * one call may be made to system->write().

 * Input bytes will be read in as necessary using the system->read()
 * function given in lzxd_init(), using the input file handle given in
 * lzxd_init().  This will continue until system->read() returns 0 bytes,
 * or an error. Errors will be passed out of the function as
 * MSPACK_ERR_READ errors.  Input streams should convey an "end of input
 * stream" by refusing to supply all the bytes that LZX asks for when they
 * reach the end of the stream, rather than return an error code.
 *
 * If any error code other than MSPACK_ERR_OK is returned, the stream
 * should be considered unusable and lzxd_decompress() should not be
 * called again on this stream. 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.