alpine 3.9
shell weakness #6

4

Weakness Breakdown


Definition:

A shell weakness occurs when a program enables an attacker to execute unexpected commands on the operating system.

Warning code(s):

This causes a new program to execute and is difficult to use safely.

File Name:

heirloom-mailx/src/mailx-12.4/popen.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.9 shell weakness.

 	return wait_command(pid);
}

/*VARARGS4*/
int
start_command(const char *cmd, sigset_t *mask, int infd, int outfd,
		const char *a0, const char *a1, const char *a2)
{
	int pid;

	if ((pid = fork()) < 0) {
		perror("fork");
		return -1;
	}
	if (pid == 0) {
		char *argv[100];
		int i = getrawlist(cmd, strlen(cmd),
				argv, sizeof argv / sizeof *argv, 0);

		if ((argv[i++] = (char *)a0) != NULL &&
		    (argv[i++] = (char *)a1) != NULL &&
		    (argv[i++] = (char *)a2) != NULL)
			argv[i] = NULL;
		prepare_child(mask, infd, outfd);
		execvp(argv[0], argv);
		perror(argv[0]);
		_exit(1);
	}
	return pid;
}

void
prepare_child(sigset_t *nset, int infd, int outfd)
{
	int i;
	sigset_t fset;

	/*
	 * All file descriptors other than 0, 1, and 2 are supposed to be
	 * close-on-exec.
	 */
	if (infd >= 0)
		dup2(infd, 0);
	if (outfd >= 0)
		dup2(outfd, 1);
	if (nset) {
		for (i = 1; i < NSIG; i++)
			if (sigismember(nset, i))
				safe_signal(i, SIG_IGN);
		if (!sigismember(nset, SIGINT)) 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.