alpine 3.9
shell weakness #20

4

Weakness Breakdown


Definition:

A shell weakness occurs when a program enables an attacker to execute unexpected commands on the operating system.

Warning code(s):

This causes a new program to execute and is difficult to use safely.

File Name:

cabextract/src/cabextract-1.9/mspack/mszip.h

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.9 shell weakness.

   /* huffman code lengths */
  unsigned char  LITERAL_len[MSZIP_LITERAL_MAXSYMBOLS];
  unsigned char  DISTANCE_len[MSZIP_DISTANCE_MAXSYMBOLS];

  /* huffman decoding tables */
  unsigned short LITERAL_table [MSZIP_LITERAL_TABLESIZE];
  unsigned short DISTANCE_table[MSZIP_DISTANCE_TABLESIZE];

  /* 32kb history window */
  unsigned char window[MSZIP_FRAME_SIZE];
};

/* allocates MS-ZIP decompression stream for decoding the given stream.
 *
 * - uses system->alloc() to allocate memory
 *
 * - returns NULL if not enough memory
 *
 * - input_buffer_size is how many bytes to use as an input bitstream buffer
 *
 * - if repair_mode is non-zero, errors in decompression will be skipped
 *   and 'holes' left will be filled with zero bytes. This allows at least
 *   a partial recovery of erroneous data.
 */
extern struct mszipd_stream *mszipd_init(struct mspack_system *system,
                                        struct mspack_file *input,
                                        struct mspack_file *output,
                                        int input_buffer_size,
                                        int repair_mode);

/* decompresses, or decompresses more of, an MS-ZIP stream.
 *
 * - out_bytes of data will be decompressed and the function will return
 *   with an MSPACK_ERR_OK return code.
 *
 * - decompressing will stop as soon as out_bytes is reached. if the true
 *   amount of bytes decoded spills over that amount, they will be kept for
 *   a later invocation of mszipd_decompress().
 *
 * - the output bytes will be passed to the system->write() function given in
 *   mszipd_init(), using the output file handle given in mszipd_init(). More
 *   than one call may be made to system->write()
 *
 * - MS-ZIP will read input bytes as necessary using the system->read()
 *   function given in mszipd_init(), using the input file handle given in
 *   mszipd_init(). This will continue until system->read() returns 0 bytes,
 *   or an error.
 */
extern int mszipd_decompress(struct mszipd_stream *zip, off_t out_bytes);
 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.