alpine 3.6
access weakness #337

1

Weakness Breakdown


Definition:

An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

Ensure that umask is given most restrictive possible setting.

File Name:

transmission/src/transmission-2.92/libtransmission/session.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 access weakness.

 static void
sessionSetImpl (void * vdata)
{
  int64_t i;
  double  d;
  bool boolVal;
  const char * str;
  struct tr_bindinfo b;
  struct init_data * data = vdata;
  tr_session * session = data->session;
  tr_variant * settings = data->clientSettings;
  struct tr_turtle_info * turtle = &session->turtle;

  assert (tr_isSession (session));
  assert (tr_variantIsDict (settings));
  assert (tr_amInEventThread (session));

  if (tr_variantDictFindInt (settings, TR_KEY_message_level, &i))
    tr_logSetLevel (i);

#ifndef _WIN32
  if (tr_variantDictFindInt (settings, TR_KEY_umask, &i))
    {
      session->umask = (mode_t)i;
      umask (session->umask);
    }
#endif

  /* misc features */
  if (tr_variantDictFindInt (settings, TR_KEY_cache_size_mb, &i))
    tr_sessionSetCacheLimit_MB (session, i);
  if (tr_variantDictFindInt (settings, TR_KEY_peer_limit_per_torrent, &i))
    tr_sessionSetPeerLimitPerTorrent (session, i);
  if (tr_variantDictFindBool (settings, TR_KEY_pex_enabled, &boolVal))
    tr_sessionSetPexEnabled (session, boolVal);
  if (tr_variantDictFindBool (settings, TR_KEY_dht_enabled, &boolVal))
    tr_sessionSetDHTEnabled (session, boolVal);
  if (tr_variantDictFindBool (settings, TR_KEY_utp_enabled, &boolVal))
    tr_sessionSetUTPEnabled (session, boolVal);
  if (tr_variantDictFindBool (settings, TR_KEY_lpd_enabled, &boolVal))
    tr_sessionSetLPDEnabled (session, boolVal);
  if (tr_variantDictFindInt (settings, TR_KEY_encryption, &i))
    tr_sessionSetEncryption (session, i);
  if (tr_variantDictFindStr (settings, TR_KEY_peer_socket_tos, &str, NULL))
    session->peerSocketTOS = parse_tos (str);
  if (tr_variantDictFindStr (settings, TR_KEY_peer_congestion_algorithm, &str, NULL))
    session->peer_congestion_algorithm = tr_strdup (str);
  else
    session->peer_congestion_algorithm = tr_strdup ("");
  if (tr_variantDictFindBool (settings, TR_KEY_blocklist_enabled, &boolVal)) 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.