Mitigate Baron SameEdit (CVE-2021-3156) vulnerability

sles 15.1
misc weakness #39


Weakness Breakdown


The software specifies permissions for a security-critical resource in a way that allows the resource to be read or modified by unintended actors.

Warning code(s):

It's often easy to fool getlogin. Sometimes it does not work at all, because some program messed up the utmp file. Often, it gives only the first 8 characters of the login name. The user currently logged in on the controlling tty of our program need not be the user who started it. Avoid getlogin.

File Name:



The highlighted line of code below is the trigger point of this particular Sles 15.1 misc weakness.

  * 		The password to use for authorization.  If omitted,
 * 		internal heuristics will be used to determine the
 * 		password, if possible.
 * 	flags	A bit mask containing flags controlling certain
 * 		functions of the routine.  Valid flags are defined in
 * 		the file pop.h
 * Return value: Upon successful establishment of a connection, a
 * 	non-null popserver will be returned.  Otherwise, null will be
 * 	returned, and the string variable pop_error will contain an
 * 	explanation of the error.
pop_open (char *host, char *username, char *password, int flags)
  int sock;
  popserver server;

  /* Determine the user name */
  if (! username)
      username = getenv ("USER");
      if (! (username && *username))
	  username = getlogin ();
	  if (! (username && *username))
	      struct passwd *passwd;
	      passwd = getpwuid (getuid ());
	      if (passwd && passwd->pw_name && *passwd->pw_name)
		  username = passwd->pw_name;
		  strcpy (pop_error, "Could not determine username");
		  return (0);

   *  Determine the mail host.

  if (! host)
      host = getenv ("MAILHOST");

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.