alpine 3.9
shell weakness #26

4

Weakness Breakdown


Definition:

A shell weakness occurs when a program enables an attacker to execute unexpected commands on the operating system.

Warning code(s):

This causes a new program to execute and is difficult to use safely.

File Name:

cabextract/src/cabextract-1.9/mspack/qtm.h

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.9 shell weakness.

 
  /* symbol arrays for all models */
  struct qtmd_modelsym m0sym[64 + 1];
  struct qtmd_modelsym m1sym[64 + 1];
  struct qtmd_modelsym m2sym[64 + 1];
  struct qtmd_modelsym m3sym[64 + 1];
  struct qtmd_modelsym m4sym[24 + 1];
  struct qtmd_modelsym m5sym[36 + 1];
  struct qtmd_modelsym m6sym[42 + 1], m6lsym[27 + 1];
  struct qtmd_modelsym m7sym[7 + 1];
};

/* allocates Quantum decompression state for decoding the given stream.
 *
 * - returns NULL if window_bits is outwith the range 10 to 21 (inclusive).
 *
 * - uses system->alloc() to allocate memory
 *
 * - returns NULL if not enough memory
 *
 * - window_bits is the size of the Quantum window, from 1Kb (10) to 2Mb (21).
 *
 * - input_buffer_size is the number of bytes to use to store bitstream data.
 */
extern struct qtmd_stream *qtmd_init(struct mspack_system *system,
                                     struct mspack_file *input,
                                     struct mspack_file *output,
                                     int window_bits,
                                     int input_buffer_size);

/* decompresses, or decompresses more of, a Quantum stream.
 *
 * - out_bytes of data will be decompressed and the function will return
 *   with an MSPACK_ERR_OK return code.
 *
 * - decompressing will stop as soon as out_bytes is reached. if the true
 *   amount of bytes decoded spills over that amount, they will be kept for
 *   a later invocation of qtmd_decompress().
 *
 * - the output bytes will be passed to the system->write() function given in
 *   qtmd_init(), using the output file handle given in qtmd_init(). More
 *   than one call may be made to system->write()
 *
 * - Quantum will read input bytes as necessary using the system->read()
 *   function given in qtmd_init(), using the input file handle given in
 *   qtmd_init(). This will continue until system->read() returns 0 bytes,
 *   or an error.
 */
extern int qtmd_decompress(struct qtmd_stream *qtm, off_t out_bytes);
 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.