alpine 3.9
shell weakness #8

4

Weakness Breakdown


Definition:

A shell weakness occurs when a program enables an attacker to execute unexpected commands on the operating system.

Warning code(s):

This causes a new program to execute and is difficult to use safely.

File Name:

cabextract/src/cabextract-1.9/mspack/cabd.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.9 shell weakness.

                         struct mscabd_cabinet *prevcab)
{
  return cabd_merge(base, prevcab, cab);
}

static int cabd_append(struct mscab_decompressor *base,
                        struct mscabd_cabinet *cab,
                        struct mscabd_cabinet *nextcab)
{
  return cabd_merge(base, cab, nextcab);
}

static int cabd_merge(struct mscab_decompressor *base,
                      struct mscabd_cabinet *lcab,
                      struct mscabd_cabinet *rcab)
{
  struct mscab_decompressor_p *self = (struct mscab_decompressor_p *) base;
  struct mscabd_folder_data *data, *ndata;
  struct mscabd_folder_p *lfol, *rfol;
  struct mscabd_file *fi, *rfi, *lfi;
  struct mscabd_cabinet *cab;
  struct mspack_system *sys;

  if (!self) return MSPACK_ERR_ARGS;
  sys = self->system;

  /* basic args check */
  if (!lcab || !rcab || (lcab == rcab)) {
    D(("lcab NULL, rcab NULL or lcab = rcab"))
    return self->error = MSPACK_ERR_ARGS;
  }

  /* check there's not already a cabinet attached */
  if (lcab->nextcab || rcab->prevcab) {
    D(("cabs already joined"))
    return self->error = MSPACK_ERR_ARGS;
  }

  /* do not create circular cabinet chains */
  for (cab = lcab->prevcab; cab; cab = cab->prevcab) {
    if (cab == rcab) {D(("circular!")) return self->error = MSPACK_ERR_ARGS;}
  }
  for (cab = rcab->nextcab; cab; cab = cab->nextcab) {
    if (cab == lcab) {D(("circular!")) return self->error = MSPACK_ERR_ARGS;}
  }

  /* warn about odd set IDs or indices */
  if (lcab->set_id != rcab->set_id) {
    sys->message(NULL, "WARNING; merged cabinets with differing Set IDs.");
  } 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.