Mitigate Baron SameEdit (CVE-2021-3156) vulnerability

rhel 7
misc weakness #2

5

Weakness Breakdown


Definition:

The software specifies permissions for a security-critical resource in a way that allows the resource to be read or modified by unintended actors.

Warning code(s):

Never create NULL ACLs; an attacker can set it to Everyone.

File Name:

db-5.3.21/src/mutex/mut_win32.c

Context:

The highlighted line of code below is the trigger point of this particular Red Hat Enterprise Linux 7 misc weakness.

  *
 * We pass security attributes so that the created event is accessible by all
 * users, in case a Windows service is sharing an environment with a local
 * process run as a different user.
 */
static _TCHAR hex_digits[] = _T("0123456789abcdef");

static __inline int get_handle(env, mutexp, eventp)
	ENV *env;
	DB_MUTEX *mutexp;
	HANDLE *eventp;
{
	_TCHAR idbuf[] = _T("db.m00000000");
	_TCHAR *p = idbuf + 12;
	int ret = 0;
	u_int32_t id;

	for (id = (mutexp)->id; id != 0; id >>= 4)
		*--p = hex_digits[id & 0xf];

#ifndef DB_WINCE
	if (DB_GLOBAL(win_sec_attr) == NULL) {
		InitializeSecurityDescriptor(&DB_GLOBAL(win_default_sec_desc),
		    SECURITY_DESCRIPTOR_REVISION);
		SetSecurityDescriptorDacl(&DB_GLOBAL(win_default_sec_desc),
		    TRUE, 0, FALSE);
		DB_GLOBAL(win_default_sec_attr).nLength =
		    sizeof(SECURITY_ATTRIBUTES);
		DB_GLOBAL(win_default_sec_attr).bInheritHandle = FALSE;
		DB_GLOBAL(win_default_sec_attr).lpSecurityDescriptor =
		    &DB_GLOBAL(win_default_sec_desc);
		DB_GLOBAL(win_sec_attr) = &DB_GLOBAL(win_default_sec_attr);
	}
#endif

	if ((*eventp = CreateEvent(DB_GLOBAL(win_sec_attr),
	    FALSE, FALSE, idbuf)) == NULL) {
		ret = __os_get_syserr();
		__db_syserr(env, ret, DB_STR("2002",
		    "Win32 create event failed"));
	}

	return (ret);
}

/*
 * __db_win32_mutex_lock_int
 *	Internal function to lock a win32 mutex
 *
 *	If the wait parameter is 0, this function will return DB_LOCK_NOTGRANTED 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.