Mitigate Baron SameEdit (CVE-2021-3156) vulnerability

rhel 6
misc weakness #407

4

Weakness Breakdown


Definition:

The software specifies permissions for a security-critical resource in a way that allows the resource to be read or modified by unintended actors.

Warning code(s):

This function is obsolete and not portable. It was in SUSv2 but removed by POSIX.2. What it does exactly varies considerably between systems, particularly in where its prompt is displayed and where it gets its data.

File Name:

libreswan-3.15/programs/pluto/whackinit.c

Context:

The highlighted line of code below is the trigger point of this particular Red Hat Enterprise Linux 6 misc weakness.

 static bool pack_str(char **p)
{
	const char *s = *p == NULL ? "" : *p;   /* note: NULL becomes ""! */
	size_t len = strlen(s) + 1;

	if (str_roof - next_str < (ptrdiff_t)len) {
		return FALSE; /* fishy: no end found */
	} else {
		strcpy(next_str, s);
		next_str += len;
		*p = NULL; /* don't send pointers on the wire! */
		return TRUE;
	}
}

/* ??? bufsize must be PASS_MAX + 1 (documented in getpass(3)) */
static size_t get_secret(char *buf, size_t bufsize)
{
	const char *secret;
	size_t len;

	fflush(stdout);
	usleep(20000); /* give fflush time for flushing */
	/* ??? the function getpass(3) is obsolete! */
	secret = getpass("Enter passphrase: ");

	len = (secret == NULL? 0 : strlen(secret)) + 1;
	if (len > bufsize)
		len = bufsize;
	if (len > 0) {
		memcpy(buf, secret, len - 1);
		buf[len - 1] = '\0';
	}
	return len;
}

static int get_value(char *buf, size_t bufsize)
{
	int len;
	int try;

	fflush(stdout);
	usleep(20000); /* give fflush time for flushing - has to go through awk */

	try = 3;
	len = 0;
	while (try > 0 && len == 0) {
		fprintf(stderr, "Enter username:   ");

		memset(buf, 0, bufsize); 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.