alpine 3.9
shell weakness #7

4

Weakness Breakdown


Definition:

A shell weakness occurs when a program enables an attacker to execute unexpected commands on the operating system.

Warning code(s):

This causes a new program to execute and is difficult to use safely.

File Name:

cabextract/src/cabextract-1.9/mspack/cabd.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.9 shell weakness.

       else {
        sys->message(fh, "WARNING; file possibly truncated by %" LD " bytes.",
                     firstlen - filelen);
      }
    }
    
    sys->close(fh);
  }
  else {
    self->error = MSPACK_ERR_OPEN;
  }

  /* free the search buffer */
  sys->free(search_buf);

  return (struct mscabd_cabinet *) cab;
}

static int cabd_find(struct mscab_decompressor_p *self, unsigned char *buf,
                     struct mspack_file *fh, const char *filename, off_t flen,
                     off_t *firstlen, struct mscabd_cabinet_p **firstcab)
{
  struct mscabd_cabinet_p *cab, *link = NULL;
  off_t caboff, offset, length;
  struct mspack_system *sys = self->system;
  unsigned char *p, *pend, state = 0;
  unsigned int cablen_u32 = 0, foffset_u32 = 0;
  int false_cabs = 0, salvage = self->param[MSCABD_PARAM_SALVAGE];

#if !LARGEFILE_SUPPORT
  /* detect 32-bit off_t overflow */
  if (flen < 0) {
    sys->message(fh, largefile_msg);
    return MSPACK_ERR_OK;
  }
#endif

  /* search through the full file length */
  for (offset = 0; offset < flen; offset += length) {
    /* search length is either the full length of the search buffer, or the
     * amount of data remaining to the end of the file, whichever is less. */
    length = flen - offset;
    if (length > self->param[MSCABD_PARAM_SEARCHBUF]) {
      length = self->param[MSCABD_PARAM_SEARCHBUF];
    }

    /* fill the search buffer with data from disk */
    if (sys->read(fh, &buf[0], (int) length) != (int) length) {
      return MSPACK_ERR_READ;
    } 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.