alpine 3.6
access weakness #493

1

Weakness Breakdown


Definition:

An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

Ensure that umask is given most restrictive possible setting.

File Name:

dansguardian/src/dansguardian-2.12.0.3/src/BackedStore.cpp

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 access weakness.

 			// Success!  Return new filename
			return storedname_str;
		else if (errno != EXDEV)
		{
			// Failure - but ignore EXDEV, as we can "recover"
			// from that by taking a different approach
			std::ostringstream ss;
			ss << "BackedStore could not create link to existing temp file: " << strerror(errno);
			throw std::runtime_error(ss.str().c_str());
		}
	}
	
	// We don't already have a temp file,
	// or a simple link wasn't sufficient (EXDEV)
	// Generate a new filename in the given directory, with the given name prefix
	// Include timestamp in the name for added uniqueness
	std::ostringstream timedprefix;
	timedprefix << prefix << '-' << time(NULL) << '-' << std::flush;
	std::string storedname_str(timedprefix.str() + "XXXXXX");
	char *storedname = const_cast<char*>(storedname_str.c_str());
#ifdef DGDEBUG
	std::cout << "BackedStore: storedname template: " << storedname << std::endl;
#endif
	int storefd;
	umask(S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
	if ((storefd = mkstemp(storedname)) < 0)
	{
		std::ostringstream ss;
		ss << "BackedStore could not create stored file: " << strerror(errno);
		throw std::runtime_error(ss.str().c_str());
	}
#ifdef DGDEBUG
	std::cout << "BackedStore: storedname: " << storedname << std::endl;
#endif
	
	// Dump the RAM buffer/mmap-ed file contents to disk in the new location
	if (fd >= 0 && map == MAP_FAILED)
		throw std::runtime_error("BackedStore could not copy existing temp file: store not finalised");

	size_t bytes_written = 0;
	ssize_t rc = 0;
	if (fd >= 0)
	{
		do
		{
			rc = write(storefd, (const char*) map + bytes_written, length - bytes_written);
			if (rc > 0)
				bytes_written += rc;
		}
		while (bytes_written < length && (rc > 0 || errno == EINTR)); 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.