alpine 3.6
access weakness #468

1

Weakness Breakdown


Definition:

An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

Ensure that umask is given most restrictive possible setting.

File Name:

ccache/src/ccache-3.3.4/util.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 access weakness.

 			}
		} while (written < n);
	}

	gzclose(gz_in);
}

#ifndef HAVE_MKSTEMP
// Cheap and nasty mkstemp replacement.
int
mkstemp(char *template)
{
	mktemp(template);
	return open(template, O_RDWR | O_CREAT | O_EXCL | O_BINARY, 0600);
}
#endif

#ifndef _WIN32
static mode_t
get_umask(void)
{
	static bool mask_retrieved = false;
	static mode_t mask;
	if (!mask_retrieved) {
		mask = umask(0);
		umask(mask);
		mask_retrieved = true;
	}
	return mask;
}
#endif

// Copy src to dest, decompressing src if needed. compress_level > 0 decides
// whether dest will be compressed, and with which compression level. Returns 0
// on success and -1 on failure. On failure, errno represents the error.
int
copy_file(const char *src, const char *dest, int compress_level)
{
	int fd_out;
	gzFile gz_in = NULL;
	gzFile gz_out = NULL;
	int saved_errno = 0;

	// Open destination file.
	char *tmp_name = x_strdup(dest);
	fd_out = create_tmp_fd(&tmp_name);
	cc_log("Copying %s to %s via %s (%scompressed)",
	       src, dest, tmp_name, compress_level > 0 ? "" : "un");

	// Open source file. 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.