alpine 3.6
access weakness #354

1

Weakness Breakdown


Definition:

An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

Ensure that umask is given most restrictive possible setting.

File Name:

jwhois/src/jwhois-4.0/src/cache.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 access weakness.

     cfname = j->value;

  if (verbose>1) printf("[Cache: Cache file name = \"%s\"]\n",cfname);

  jconfig_set();
  j = jconfig_getone("jwhois", "cacheexpire");
  if (!j)
    ret = CACHEEXPIRE;
  else
    ret = j->value;
#ifdef HAVE_STRTOL
  cfexpire = strtol(ret, &ret2, 10);
  if (*ret2 != '\0')
    {
      if (verbose)
	printf("[Cache: %s: %s]\n", _("Invalid expire time"), ret);
      cfexpire = 168;
    }
#else
  cfexpire = atoi(ret2);
#endif /* HAVE_STRTOL */

  if (verbose>1) printf("[Cache: Expire time = %d]\n", cfexpire);

  umask(0);
  dbf = dbm_open(cfname, DBM_COPTIONS, DBM_MODE);
  if (!dbf)
    {
      if (verbose) printf("[Cache: %s %s]\n", _("Unable to open"),
			  cfname);
      cache = 0;
      return -1;
    }
  iret = dbm_store(dbf, dbkey, dbstore, DBM_IOPTIONS);
  if (iret < 0)
    {
      if (verbose) printf("[Cache: %s]\n",
			  _("Unable to store data in cache\n"));
      cache = 0;
    }
  dbm_close(dbf);
#endif
  return 0;
}

/*
 *  This stores the passed text in the database with the key 'key'.
 *  Returns 0 on success and -1 on failure.
 */
int 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.