alpine 3.6
access weakness #398

1

Weakness Breakdown


Definition:

An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

Ensure that umask is given most restrictive possible setting.

File Name:

oprofile/src/oprofile-0.9.9/gui/oprof_start.cpp

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 access weakness.

 	// setted parameters so we use the same config file as command line
	// tools

	args.push_back("--setup");

	bool one_enabled = false;

	vector<string> tmpargs;
	tmpargs.push_back("--setup");

	Q3ListViewItem * cur;
	for (cur = events_list->firstChild(); cur; cur = cur->nextSibling()) {
		if (!cur->isSelected())
			continue;

		event_setting & cfg = event_cfgs[cur->text(0).latin1()];

		op_event_descr const & descr =
			locate_event(cur->text(0).latin1());

		one_enabled = true;

		string arg = "--event=" + descr.name;
		arg += ":" + op_lexical_cast<string>(cfg.count);
		arg += ":" + op_lexical_cast<string>(cfg.umask);
		arg += ":" + op_lexical_cast<string>(cfg.os_ring_count);
		arg += ":" + op_lexical_cast<string>(cfg.user_ring_count);

		tmpargs.push_back(arg);
	}

	// only set counters if at least one is enabled
	if (one_enabled)
		args = tmpargs;

	if (config.no_kernel) {
		args.push_back("--no-vmlinux");
	} else {
		args.push_back("--vmlinux=" + config.kernel_filename);
	}

	args.push_back("--buffer-size=" +
	               op_lexical_cast<string>(config.buffer_size));

	args.push_back("--buffer-watershed=" +
	               op_lexical_cast<string>(config.buffer_watershed));
	args.push_back("--cpu-buffer-size=" +
	               op_lexical_cast<string>(config.cpu_buffer_size));
	if (op_file_readable("/dev/oprofile/backtrace_depth")) {
		args.push_back("--callgraph=" + 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.