alpine 3.9
shell weakness #18

4

Weakness Breakdown


Definition:

A shell weakness occurs when a program enables an attacker to execute unexpected commands on the operating system.

Warning code(s):

This causes a new program to execute and is difficult to use safely.

File Name:

cabextract/src/cabextract-1.9/mspack/lzxd.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.9 shell weakness.

   lzx->offset          = 0;
  lzx->length          = output_length;

  lzx->inbuf_size      = input_buffer_size;
  lzx->window_size     = 1 << window_bits;
  lzx->ref_data_size   = 0;
  lzx->window_posn     = 0;
  lzx->frame_posn      = 0;
  lzx->frame           = 0;
  lzx->reset_interval  = reset_interval;
  lzx->intel_filesize  = 0;
  lzx->intel_curpos    = 0;
  lzx->intel_started   = 0;
  lzx->error           = MSPACK_ERR_OK;
  lzx->num_offsets     = position_slots[window_bits - 15] << 3;
  lzx->is_delta        = is_delta;

  lzx->o_ptr = lzx->o_end = &lzx->e8_buf[0];
  lzxd_reset_state(lzx);
  INIT_BITS;
  return lzx;
}

int lzxd_set_reference_data(struct lzxd_stream *lzx,
                            struct mspack_system *system,
                            struct mspack_file *input,
                            unsigned int length)
{
    if (!lzx) return MSPACK_ERR_ARGS;

    if (!lzx->is_delta) {
        D(("only LZX DELTA streams support reference data"))
        return MSPACK_ERR_ARGS;
    }
    if (lzx->offset) {
        D(("too late to set reference data after decoding starts"))
        return MSPACK_ERR_ARGS;
    }
    if (length > lzx->window_size) {
        D(("reference length (%u) is longer than the window", length))
        return MSPACK_ERR_ARGS;
    }
    if (length > 0 && (!system || !input)) {
        D(("length > 0 but no system or input"))
        return MSPACK_ERR_ARGS;
    }

    lzx->ref_data_size = length;
    if (length > 0) {
        /* copy reference data */ 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.