alpine 3.6
access weakness #218

1

Weakness Breakdown


Definition:

An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

Ensure that umask is given most restrictive possible setting.

File Name:

mutt/src/mutt-1.10.1/main.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 access weakness.

   if(getegid() != getgid())
  {
    fprintf(stderr, "%s: I don't want to run with privileges!\n",
	    argv[0]);
    exit(1);
  }

  setlocale (LC_ALL, "");

#ifdef ENABLE_NLS
  /* FIXME what about the LOCALES_HACK in mutt_init() [init.c] ? */
  {
    char *domdir = getenv ("TEXTDOMAINDIR");
    if (domdir && domdir[0])
      bindtextdomain (PACKAGE, domdir);
    else
      bindtextdomain (PACKAGE, MUTTLOCALEDIR);
    textdomain (PACKAGE);
  }
#endif

  mutt_error = mutt_nocurses_error;
  mutt_message = mutt_nocurses_error;
  SRAND (time (NULL));
  umask (077);

  memset (Options, 0, sizeof (Options));
  memset (QuadOptions, 0, sizeof (QuadOptions));

  /* Init envlist */
  {
    char **srcp, **dstp;
    int count = 0;
    for (srcp = environ; srcp && *srcp; srcp++)
      count++;
    envlist = safe_calloc(count+1, sizeof(char *));
    for (srcp = environ, dstp = envlist; srcp && *srcp; srcp++, dstp++)
      *dstp = safe_strdup(*srcp);
  }

  for (optind = 1; optind < double_dash; )
  {
    /* We're getopt'ing POSIXLY, so we'll be here every time getopt()
     * encounters a non-option.  That could be a file to attach 
     * (all non-options between -a and --) or it could be an address
     * (which gets collapsed to the front of argv).
     */
    for (; optind < argc; optind++)
    {
      if (argv[optind][0] == '-' && argv[optind][1] != '\0') 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.