centos 7
shell weakness #2

4

Weakness Breakdown


Definition:

A shell weakness occurs when a program enables an attacker to execute unexpected commands on the operating system.

Warning code(s):

This causes a new program to execute and is difficult to use safely.

File Name:

PackageKit-1.1.10/backends/nix/nix-lib-plus.cc

Context:

The highlighted line of code below is the trigger point of this particular Centos 7 shell weakness.

 		if (i.queryDrvPath() != "")
			drvsToBuild.insert(i.queryDrvPath());

	debug(format("building user environment dependencies"));
	state.store->buildPaths(drvsToBuild, state.repair ? bmRepair : bmNormal);

	/* Construct the whole top level derivation. */
	PathSet references;
	Value manifest;
	state.mkList(manifest, elems.size());
	unsigned int n = 0;
	for (auto & i : elems) {
		/* Create a pseudo-derivation containing the name, system,
		   output paths, and optionally the derivation path, as well
		   as the meta attributes. */
		Path drvPath = keepDerivations ? i.queryDrvPath() : "";

		Value & v(*state.allocValue());
		manifest.listElems()[n++] = &v;
		state.mkAttrs(v, 16);

		mkString(*state.allocAttr(v, state.sType), "derivation");
		mkString(*state.allocAttr(v, state.sName), i.name);
		if (!i.system.empty())
			mkString(*state.allocAttr(v, state.sSystem), i.system);
		mkString(*state.allocAttr(v, state.sOutPath), i.queryOutPath());
		if (drvPath != "")
			mkString(*state.allocAttr(v, state.sDrvPath), i.queryDrvPath());

		// Copy each output meant for installation.
		DrvInfo::Outputs outputs = i.queryOutputs();
		Value & vOutputs = *state.allocAttr(v, state.sOutputs);
		state.mkList(vOutputs, outputs.size());
		unsigned int m = 0;
		for (auto & j : outputs) {
			mkString(*(vOutputs.listElems()[m++] = state.allocValue()), j.first);
			Value & vOutputs = *state.allocAttr(v, state.symbols.create(j.first));
			state.mkAttrs(vOutputs, 2);
			mkString(*state.allocAttr(vOutputs, state.sOutPath), j.second);

			/* This is only necessary when installing store paths, e.g.,
			   'nix-env -i /nix/store/abcd...-foo'. */
			state.store->addTempRoot(j.second);
			state.store->ensurePath(j.second);

			references.insert(j.second);
		}

		// Copy the meta attributes.
		Value & vMeta = *state.allocAttr(v, state.sMeta); 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.