alpine 3.6
access weakness #397

1

Weakness Breakdown


Definition:

An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

Ensure that umask is given most restrictive possible setting.

File Name:

oprofile/src/oprofile-0.9.9/gui/oprof_start.cpp

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 access weakness.

 					 "profile at least one of user binaries/kernel");
			return;
		}

		if (cfg.count < descr.min_count || 
		    cfg.count > max_perf_count()) {
			ostringstream out;

			out << "event " << descr.name << " count of range: "
			    << cfg.count << " must be in [ "
			    << descr.min_count << ", "
			    << max_perf_count()
			    << "]";

			QMessageBox::warning(this, 0, out.str().c_str());
			return;
		}

		if (descr.unit &&
		    descr.unit->unit_type_mask == utm_bitmask &&
		    cfg.umask == 0) {
			ostringstream out;

			out << "event " << descr.name << " invalid unit mask: "
			    << cfg.umask << endl;

			QMessageBox::warning(this, 0, out.str().c_str());
			return;
		}
	}

	if (one_enable == false && cpu_type != CPU_TIMER_INT) {
		QMessageBox::warning(this, 0, "No counters enabled.\n");
		return;
	}

	if (daemon_status().running) {
		// gcc 2.91 work around
		int user_choice = 0;
		user_choice =
			QMessageBox::warning(this, 0,
					     "Profiler already started:\n\n"
					     "stop and restart it?",
					     "&Restart", "&Cancel", 0, 0, 1);

		if (user_choice == 1)
			return;

		// this flush profiler data also.
		on_stop_profiler(); 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.