alpine 3.6
access weakness #469

1

Weakness Breakdown


Definition:

An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

Ensure that umask is given most restrictive possible setting.

File Name:

cabextract/src/cabextract-1.9/src/cabextract.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 access weakness.

 
  /* open libmspack */
  MSPACK_SYS_SELFTEST(err);
  if (err) {
    if (err == MSPACK_ERR_SEEK) {
      fprintf(stderr,
              "FATAL ERROR: libmspack is compiled for %d-bit file IO,\n"
              "             cabextract is compiled for %d-bit file IO.\n",
              (sizeof(off_t) == 4) ? 64 : 32,
              (sizeof(off_t) == 4) ? 32 : 64);
    }
    else {
      fprintf(stderr, "FATAL ERROR: libmspack self-test returned %d\n", err);
    }
    return EXIT_FAILURE;
  }

  if (!(cabd = mspack_create_cab_decompressor(&cabextract_system))) {
    fprintf(stderr, "can't create libmspack CAB decompressor\n");
    return EXIT_FAILURE;
  }

  /* obtain user's umask */
#if HAVE_UMASK
  umask(user_umask = umask(0));
#endif

  /* turn on/off 'fix MSZIP' and 'salvage' mode */
  cabd->set_param(cabd, MSCABD_PARAM_FIXMSZIP, args.fix);
  cabd->set_param(cabd, MSCABD_PARAM_SALVAGE, args.fix);

#if HAVE_ICONV
  /* set up converter for given encoding */
    if (args.encoding) {
      if ((converter = iconv_open("UTF8", args.encoding)) == (iconv_t) -1) {
        converter = NULL;
        fprintf(stderr, "FATAL ERROR: encoding '%s' is not recognised\n",
            args.encoding);
        return EXIT_FAILURE;
      }
    }
#endif

  /* process cabinets */
  for (i = optind, err = 0; i < argc; i++) {
    err += process_cabinet(argv[i]);
  }

  /* error summary */
  if (!args.quiet) { 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.