Mitigate Baron SameEdit (CVE-2021-3156) vulnerability

fedora 23
shell weakness #7

4

Weakness Breakdown


Definition:

A shell weakness occurs when a program enables an attacker to execute unexpected commands on the operating system.

Warning code(s):

This causes a new program to execute and is difficult to use safely.

File Name:

oiio-Release-1.5.24/src/include/OpenImageIO/optparser.h

Context:

The highlighted line of code below is the trigger point of this particular Fedora 23 shell weakness.

             return system.attribute (name.c_str(), (float)atof(value.c_str()));
        else  // int
            return system.attribute (name.c_str(), (int)atoi(value.c_str()));
    }
    // otherwise treat it as a string

    // trim surrounding double quotes
    if (value.size() >= 2 &&
            value[0] == '\"' && value[value.size()-1] == '\"')
        value = std::string (value, 1, value.size()-2);

    return system.attribute (name.c_str(), value.c_str());
}



/// Parse a string with comma-separated name=value directives, calling
/// system.attribute(name,value) for each one, with appropriate type
/// conversions.  Examples:
///    optparser(texturesystem, "verbose=1");
///    optparser(texturesystem, "max_memory_MB=32.0");
///    optparser(texturesystem, "a=1,b=2,c=3.14,d=\"a string\"");
template<class C>
inline bool
optparser (C &system, const std::string &optstring)
{
    bool ok = true;
    size_t len = optstring.length();
    size_t pos = 0;
    while (pos < len) {
        std::string opt;
        bool inquote = false;
        while (pos < len) {
            unsigned char c = optstring[pos];
            if (c == '\"') {
                // Hit a double quote -- toggle "inquote" and add the quote
                inquote = !inquote;
                opt += c;
                ++pos;
            } else if (c == ',' && !inquote) {
                // Hit a comma and not inside a quote -- we have an option
                ++pos;  // skip the comma
                break;  // done with option
            } else {
                // Anything else: add to the option
                opt += c;
                ++pos;
            }
        }
        // At this point, opt holds an option 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.