alpine 3.6
access weakness #470

1

Weakness Breakdown


Definition:

An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

Ensure that umask is given most restrictive possible setting.

File Name:

transmission/src/transmission-2.92/libtransmission/session.h

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 access weakness.

     bool                         isUTPEnabled;
    bool                         isLPDEnabled;
    bool                         isBlocklistEnabled;
    bool                         isPrefetchEnabled;
    bool                         isTorrentDoneScriptEnabled;
    bool                         isClosing;
    bool                         isClosed;
    bool                         isIncompleteFileNamingEnabled;
    bool                         isRatioLimited;
    bool                         isIdleLimited;
    bool                         isIncompleteDirEnabled;
    bool                         pauseAddedTorrent;
    bool                         deleteSourceTorrent;
    bool                         scrapePausedTorrents;

    uint8_t                      peer_id_ttl_hours;

    tr_variant                   removedTorrents;

    bool                         stalledEnabled;
    bool                         queueEnabled[2];
    int                          queueSize[2];
    int                          queueStalledMinutes;

    int                          umask;

    unsigned int                 speedLimit_Bps[2];
    bool                         speedLimitEnabled[2];

    struct tr_turtle_info        turtle;

    struct tr_fdInfo           * fdInfo;

    int                          magicNumber;

    tr_encryption_mode           encryptionMode;

    tr_preallocation_mode        preallocationMode;

    struct event_base          * event_base;
    struct evdns_base          * evdns_base;
    struct tr_event_handle     * events;

    uint16_t                     peerLimit;
    uint16_t                     peerLimitPerTorrent;

    int                          uploadSlotsPerTorrent;

    /* The UDP sockets used for the DHT and uTP. */
    tr_port                      udp_port; 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.