alpine 3.9
shell weakness #2

4

Weakness Breakdown


Definition:

A shell weakness occurs when a program enables an attacker to execute unexpected commands on the operating system.

Warning code(s):

This causes a new program to execute and is difficult to use safely.

File Name:

abuild/src/abuild-3.3.1/abuild-fetch.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.9 shell weakness.

 	char *argv[32];
};

void add_opt(struct cmdarray *cmd, char *opt)
{
	cmd->argv[cmd->argc++] = opt;
	cmd->argv[cmd->argc] = NULL;
}

int usage(int eval)
{
	printf("usage: %s [-h] [-d DESTDIR] URL\n", program);
	return eval;
}

int fork_exec(char *argv[], int showerr)
{
	int r = 202;
	int status = 0;
	pid_t childpid = fork();
	if (childpid < 0 )
		err(200, "fork");

	if (childpid == 0) {
		execvp(argv[0], argv);
		if (showerr)
			warn("%s", argv[0]);
		_exit(201);
	}

	/* wait for curl/wget and get the exit code */
	wait(&status);
	if (WIFEXITED(status))
		r = WEXITSTATUS(status);
	return r;
}

/* create or wait for an NFS-safe lockfile and fetch url with curl or wget */
int fetch(char *url, const char *destdir)
{
	int lockfd, status=0;
	char outfile[PATH_MAX], partfile[PATH_MAX];
	char *name, *p;
	struct flock fl = {
		.l_type = F_WRLCK,
		.l_whence = SEEK_SET,
		.l_start = 1,
		.l_len = 0,
	};
	struct cmdarray curlcmd = { 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.