alpine 3.6
access weakness #219

1

Weakness Breakdown


Definition:

An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

Ensure that umask is given most restrictive possible setting.

File Name:

inetutils-syslogd/src/inetutils-1.9.4/ftpd/ftpcmd.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 access weakness.

 #line 498 "ftpcmd.y" /* yacc.c:1646  */
    {
			help (sitetab, (char *) 0);
		}
#line 2062 "ftpcmd.c" /* yacc.c:1646  */
    break;

  case 40:
#line 502 "ftpcmd.y" /* yacc.c:1646  */
    {
			help (sitetab, (yyvsp[-1].s));
			free ((yyvsp[-1].s));
		}
#line 2071 "ftpcmd.c" /* yacc.c:1646  */
    break;

  case 41:
#line 507 "ftpcmd.y" /* yacc.c:1646  */
    {
			int oldmask;

			if ((yyvsp[-1].i))
			  {
			    oldmask = umask (0);
			    umask (oldmask);
			    reply (200, "Current UMASK is %03o", oldmask);
			  }
		}
#line 2086 "ftpcmd.c" /* yacc.c:1646  */
    break;

  case 42:
#line 518 "ftpcmd.y" /* yacc.c:1646  */
    {
			int oldmask;

			if ((yyvsp[-3].i))
			  {
			    if (((yyvsp[-1].i) == -1) || ((yyvsp[-1].i) > 0777))
			      reply (501, "Bad UMASK value");
			    else
			      {
				oldmask = umask ((yyvsp[-1].i));
				reply (200, "UMASK set to %03o (was %03o)",
				      (yyvsp[-1].i), oldmask);
			      }
			  }
		}
#line 2106 "ftpcmd.c" /* yacc.c:1646  */
    break; 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.