alpine 3.9
shell weakness #9

4

Weakness Breakdown


Definition:

A shell weakness occurs when a program enables an attacker to execute unexpected commands on the operating system.

Warning code(s):

This causes a new program to execute and is difficult to use safely.

File Name:

cabextract/src/cabextract-1.9/mspack/cabd.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.9 shell weakness.

         if (r) matching = 1; else sys->message(NULL,
            "WARNING; merged file %s not listed in both cabinets", l->filename);
    }
    return matching;
}


/***************************************
 * CABD_EXTRACT
 ***************************************
 * extracts a file from a cabinet
 */
static int cabd_extract(struct mscab_decompressor *base,
                        struct mscabd_file *file, const char *filename)
{
  struct mscab_decompressor_p *self = (struct mscab_decompressor_p *) base;
  struct mscabd_folder_p *fol;
  struct mspack_system *sys;
  struct mspack_file *fh;
  off_t filelen;

  if (!self) return MSPACK_ERR_ARGS;
  if (!file) return self->error = MSPACK_ERR_ARGS;

  sys = self->system;
  fol = (struct mscabd_folder_p *) file->folder;

  /* if offset is beyond 2GB, nothing can be extracted */
  if (file->offset > CAB_LENGTHMAX) {
    return self->error = MSPACK_ERR_DATAFORMAT;
  }

  /* if file claims to go beyond 2GB either error out,
   * or in salvage mode reduce file length so it fits 2GB limit
   */
  filelen = file->length;
  if (filelen > CAB_LENGTHMAX || (file->offset + filelen) > CAB_LENGTHMAX) {
    if (self->param[MSCABD_PARAM_SALVAGE]) {
      filelen = CAB_LENGTHMAX - file->offset;
    }
    else {
      return self->error = MSPACK_ERR_DATAFORMAT;
    }
  }

  /* extraction impossible if no folder, or folder needs predecessor */
  if (!fol || fol->merge_prev) {
    sys->message(NULL, "ERROR; file \"%s\" cannot be extracted, "
                 "cabinet set is incomplete", file->filename);
    return self->error = MSPACK_ERR_DECRUNCH; 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.