alpine 3.6
access weakness #114

1

Weakness Breakdown


Definition:

An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

Ensure that umask is given most restrictive possible setting.

File Name:

nasm/src/nasm-2.12.02/rdoff/rdlar.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 access weakness.

             error_exit(1, false, "premature end of file in '%s'",
                       _argv[2]);
        if (fp2)
            if (fputc(t, fp2) == EOF)
                error_exit(1, false, "write error");
        *p++ = t;
    }
    int32_ttolocal(&l);
    return l;
}

/*
 * Create a new library
 */
int create_library(char *libname)
{
    FILE *libfp;
    struct rdlm_hdr hdr;

    hdr.magic = RDLAMAG;
    hdr.hdrsize = 0;
    hdr.date = time(NULL);
    hdr.owner = getuid();
    hdr.group = getgid();
    hdr.mode = umask(022);
    hdr.size = 0;

    libfp = fopen(libname, "wb");
    if (!libfp)
        error_exit(1, true, "could not open '%s'\n", libname);

    /* Write library header */
    put_header(&hdr, libfp, NULL);

    fclose(libfp);
    return true;
}

/*
 * Add a module to the library
 */
int add_module(FILE * libfp, const char *fname, char *modname)
{
    FILE *modfp;
    struct rdlm_hdr hdr = { RDLMMAG, 0, 0, 0, 0, 0, 0 };
    struct stat finfo;
    int i;

    if (options.verbose)
        fprintf(stderr, "adding module %s\n", modname); 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.