alpine 3.9
shell weakness #19

4

Weakness Breakdown


Definition:

A shell weakness occurs when a program enables an attacker to execute unexpected commands on the operating system.

Warning code(s):

This causes a new program to execute and is difficult to use safely.

File Name:

cabextract/src/cabextract-1.9/mspack/lzxd.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.9 shell weakness.

   lzxd_reset_state(lzx);
  INIT_BITS;
  return lzx;
}

int lzxd_set_reference_data(struct lzxd_stream *lzx,
                            struct mspack_system *system,
                            struct mspack_file *input,
                            unsigned int length)
{
    if (!lzx) return MSPACK_ERR_ARGS;

    if (!lzx->is_delta) {
        D(("only LZX DELTA streams support reference data"))
        return MSPACK_ERR_ARGS;
    }
    if (lzx->offset) {
        D(("too late to set reference data after decoding starts"))
        return MSPACK_ERR_ARGS;
    }
    if (length > lzx->window_size) {
        D(("reference length (%u) is longer than the window", length))
        return MSPACK_ERR_ARGS;
    }
    if (length > 0 && (!system || !input)) {
        D(("length > 0 but no system or input"))
        return MSPACK_ERR_ARGS;
    }

    lzx->ref_data_size = length;
    if (length > 0) {
        /* copy reference data */
        unsigned char *pos = &lzx->window[lzx->window_size - length];
        int bytes = system->read(input, pos, length);
        /* length can't be more than 2^25, so no signedness problem */
        if (bytes < (int)length) return MSPACK_ERR_READ;
    }
    lzx->ref_data_size = length;
    return MSPACK_ERR_OK;
}

void lzxd_set_output_length(struct lzxd_stream *lzx, off_t out_bytes) {
  if (lzx && out_bytes > 0) lzx->length = out_bytes;
}

int lzxd_decompress(struct lzxd_stream *lzx, off_t out_bytes) {
  /* bitstream and huffman reading variables */
  register unsigned int bit_buffer;
  register int bits_left, i=0;
  unsigned char *i_ptr, *i_end; 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.