alpine 3.6
access weakness #111

1

Weakness Breakdown


Definition:

An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

Ensure that umask is given most restrictive possible setting.

File Name:

pidgin-otr/src/pidgin-otr-4.0.2/otr-plugin.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 access weakness.

     account = purple_accounts_find(context->accountname, context->protocol);
    if (!account) return policy;

    otrg_ui_get_prefs(&prefs, account, context->username);
    return prefs.policy;
}

/* Generate a private key for the given accountname/protocol */
void otrg_plugin_create_privkey(const char *accountname,
	const char *protocol)
{
    OtrgDialogWaitHandle waithandle;
#ifndef WIN32
    mode_t mask;
#endif  /* WIN32 */
    FILE *privf;

    gchar *privkeyfile = g_build_filename(purple_user_dir(),
	    PRIVKEYFNAME, NULL);
    if (!privkeyfile) {
	fprintf(stderr, _("Out of memory building filenames!\n"));
	return;
    }
#ifndef WIN32
    mask = umask (0077);
#endif  /* WIN32 */
    privf = g_fopen(privkeyfile, "w+b");
#ifndef WIN32
    umask (mask);
#endif  /* WIN32 */
    g_free(privkeyfile);
    if (!privf) {
	fprintf(stderr, _("Could not write private key file\n"));
	return;
    }

    waithandle = otrg_dialog_private_key_wait_start(accountname, protocol);

    /* Generate the key */
    otrl_privkey_generate_FILEp(otrg_plugin_userstate, privf,
	    accountname, protocol);
    fclose(privf);
    otrg_ui_update_fingerprint();

    /* Mark the dialog as done. */
    otrg_dialog_private_key_wait_done(waithandle);
}

static void create_privkey_cb(void *opdata, const char *accountname,
	const char *protocol) 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.