alpine 3.6
access weakness #295

1

Weakness Breakdown


Definition:

An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

Ensure that umask is given most restrictive possible setting.

File Name:

mmh/src/mmh-0.3/uip/rcvdist.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 access weakness.

 
			case HELPSW:
				snprintf(buf, sizeof(buf), "%s [switches] [switches for spost] address ...", invo_name);
				print_help(buf, switches, 1);
				exit(argc == 2 ? EX_OK : EX_USAGE);
			case VERSIONSW:
				print_version(invo_name);
				exit(argc == 2 ? EX_OK : EX_USAGE);

			case FORMSW:
				if (!(form = *argp++) || *form == '-') {
					adios(EX_USAGE, NULL, "missing argument to %s",
							argp[-2]);
				}
				continue;
			}
		}
		addrs = addrs ? add(cp, add(", ", addrs)) : mh_xstrdup(cp);
	}

	if (!addrs) {
		adios(EX_USAGE, NULL, "usage: %s [switches] [switches for spost] address ...", invo_name);
	}

	umask(~m_gmprot());

	tfile = m_mktemp2(NULL, invo_name, NULL, &fp);
	if (tfile == NULL) adios(EX_CANTCREAT, "rcvdist", "unable to create temporary file");
	strncpy(tmpfil, tfile, sizeof(tmpfil));

	cpydata(fileno(stdin), fileno(fp), "message", tmpfil);
	fseek(fp, 0L, SEEK_SET);

	tfile = m_mktemp2(NULL, invo_name, NULL, NULL);
	if (tfile == NULL) adios(EX_CANTCREAT, "forw", "unable to create temporary file");
	strncpy(drft, tfile, sizeof(tmpfil));

	rcvdistout(fp, form, addrs);
	fclose(fp);

	if (distout(drft, tmpfil, backup) == NOTOK) {
		exit(EX_IOERR);
	}

	vec[0] = "spost";
	vec[vecp++] = "-dist";
	vec[vecp++] = drft;
	vec[vecp] = NULL;

	execvp(*vec, vec); 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.