alpine 3.6
access weakness #291

1

Weakness Breakdown


Definition:

An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

Ensure that umask is given most restrictive possible setting.

File Name:

mmh/src/mmh-0.3/uip/mhbuild.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 access weakness.

 }

/*
** Main routine for translating composition file
** into valid MIME message.  It translates the draft
** into a content structure (actually a tree of content
** structures).  This message then can be manipulated
** in various ways, including being output via
** output_message().
*/
static CT
build_mime(char *infile)
{
	enum state state;
	struct field f = {{0}};
	int compnum;
	char buf[BUFSIZ];
	char *cp, *np, *vp;
	struct multipart *m;
	struct part **pp;
	CT ct;
	FILE *in;
	HF hp;

	umask(~m_gmprot());

	/* open the composition draft */
	if ((in = fopen(infile, "r")) == NULL) {
		adios(EX_IOERR, infile, "unable to open for reading");
	}

	/*
	** Allocate space for primary (outside) content
	*/
	ct = mh_xcalloc(1, sizeof(*ct));

	/*
	** Allocate structure for handling decoded content
	** for this part.  We don't really need this, but
	** allocate it to remain consistent.
	*/
	init_decoded_content(ct);

	/*
	** Parse some of the header fields in the composition
	** draft into the linked list of header fields for
	** the new MIME message.
	*/
	for (compnum = 1, state = FLD2;;) {
		switch (state = m_getfld2(state, &f, in)) { 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.