alpine 3.6
access weakness #463

1

Weakness Breakdown


Definition:

An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

Ensure that umask is given most restrictive possible setting.

File Name:

ccache/src/ccache-3.3.4/confitems_lookup.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 access weakness.

 #line 24 "confitems.gperf"
      {"keep_comments_cpp",   14, ITEM(keep_comments_cpp, bool)},
#line 28 "confitems.gperf"
      {"max_size",            18, ITEM(max_size, size)},
#line 27 "confitems.gperf"
      {"max_files",           17, ITEM(max_files, unsigned)},
      {"",0,NULL,0,NULL},
#line 33 "confitems.gperf"
      {"read_only_direct",    23, ITEM(read_only_direct, bool)},
#line 19 "confitems.gperf"
      {"disable",              9, ITEM(disable, bool)},
#line 38 "confitems.gperf"
      {"temporary_dir",       28, ITEM(temporary_dir, env_string)},
#line 35 "confitems.gperf"
      {"run_second_cpp",      25, ITEM(run_second_cpp, bool)},
      {"",0,NULL,0,NULL},
#line 18 "confitems.gperf"
      {"direct_mode",          8, ITEM(direct_mode, bool)},
      {"",0,NULL,0,NULL},
#line 22 "confitems.gperf"
      {"hash_dir",            12, ITEM(hash_dir, bool)},
#line 21 "confitems.gperf"
      {"hard_link",           11, ITEM(hard_link, bool)},
#line 39 "confitems.gperf"
      {"umask",               29, ITEM(umask, umask)},
      {"",0,NULL,0,NULL}, {"",0,NULL,0,NULL},
      {"",0,NULL,0,NULL},
#line 25 "confitems.gperf"
      {"limit_multiple",      15, ITEM(limit_multiple, float)},
      {"",0,NULL,0,NULL},
#line 23 "confitems.gperf"
      {"ignore_headers_in_manifest", 13, ITEM(ignore_headers_in_manifest, env_string)},
      {"",0,NULL,0,NULL}, {"",0,NULL,0,NULL},
#line 20 "confitems.gperf"
      {"extra_files_to_hash", 10, ITEM(extra_files_to_hash, env_string)}
    };

  if (len <= MAX_WORD_LENGTH && len >= MIN_WORD_LENGTH)
    {
      register int key = confitems_hash (str, len);

      if (key <= MAX_HASH_VALUE && key >= 0)
        {
          register const char *s = wordlist[key].name;

          if (*str == *s && !strcmp (str + 1, s + 1))
            return &wordlist[key];
        }
    }
  return 0; 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.