alpine 3.9
shell weakness #30

4

Weakness Breakdown


Definition:

A shell weakness occurs when a program enables an attacker to execute unexpected commands on the operating system.

Warning code(s):

This causes a new program to execute and is difficult to use safely.

File Name:

cabextract/src/cabextract-1.9/mspack/cabd.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.9 shell weakness.

 }
    
/***************************************
 * CABD_SEARCH, CABD_FIND
 ***************************************
 * cabd_search opens a file, finds its extent, allocates a search buffer,
 * then reads through the whole file looking for possible cabinet headers.
 * if it finds any, it tries to read them as real cabinets. returns a linked
 * list of results
 *
 * cabd_find is the inner loop of cabd_search, to make it easier to
 * break out of the loop and be sure that all resources are freed
 */
static struct mscabd_cabinet *cabd_search(struct mscab_decompressor *base,
                                          const char *filename)
{
  struct mscab_decompressor_p *self = (struct mscab_decompressor_p *) base;
  struct mscabd_cabinet_p *cab = NULL;
  struct mspack_system *sys;
  unsigned char *search_buf;
  struct mspack_file *fh;
  off_t filelen, firstlen = 0;

  if (!base) return NULL;
  sys = self->system;

  /* allocate a search buffer */
  search_buf = (unsigned char *) sys->alloc(sys, (size_t) self->param[MSCABD_PARAM_SEARCHBUF]);
  if (!search_buf) {
    self->error = MSPACK_ERR_NOMEMORY;
    return NULL;
  }

  /* open file and get its full file length */
  if ((fh = sys->open(sys, filename, MSPACK_SYS_OPEN_READ))) {
    if (!(self->error = mspack_sys_filelen(sys, fh, &filelen))) {
      self->error = cabd_find(self, search_buf, fh, filename,
                              filelen, &firstlen, &cab);
    }

    /* truncated / extraneous data warning: */
    if (firstlen && (firstlen != filelen) &&
        (!cab || (cab->base.base_offset == 0)))
    {
      if (firstlen < filelen) {
        sys->message(fh, "WARNING; possible %" LD
                     " extra bytes at end of file.",
                     filelen - firstlen);
      }
      else { 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.