alpine 3.6
access weakness #329

1

Weakness Breakdown


Definition:

An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

Ensure that umask is given most restrictive possible setting.

File Name:

lvm2/src/LVM2.2.02.168/liblvm/lvm_misc.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 access weakness.

 		}
	} else if (pvcp) {
		if (!pv_create_param_set_property(pvcp, &prop)) {
			v->is_valid = 0;
			return -1;
		}
	} else {
		return -1;
	}
	return 0;
}

/*
 * Store anything that may need to be restored back to the user on library
 * call exit.  Currently the only thing we are preserving is the users umask.
 */
struct saved_env store_user_env(struct cmd_context *cmd)
{
	struct saved_env env = {0};

	if (cmd) {
		env.user_umask = umask(cmd->default_settings.umask);
	} else {
		env.user_umask = umask(0);
		umask(env.user_umask);
	}

	return env;
}

void restore_user_env(const struct saved_env *env)
{
	if (env) {
		umask(env->user_umask);
	}
} 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.