alpine 3.6
access weakness #496


Weakness Breakdown


An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

Ensure that umask is given most restrictive possible setting.

File Name:



The highlighted line of code below is the trigger point of this particular Alpine 3.6 access weakness.

 			return rc;  // just return with the return code
		pos += rc;
		gettimeofday(&nowadays, NULL);
		if (nowadays.tv_sec - starttime.tv_sec > timeout) {
#ifdef DGDEBUG
			std::cout << "buffered socket read more than timeout" << std::endl;
			return pos;  // just return how much got so far then
	return size;  // full buffer

// make a temp file and return its FD. only currently used in DM plugins.
int DataBuffer::getTempFileFD()
	if (tempfilefd > -1) {
		return tempfilefd;
	tempfilepath = o.download_dir.c_str();
	tempfilepath += "/tfXXXXXX";
	char *tempfilepatharray = new char[tempfilepath.length() + 1];
	strcpy(tempfilepatharray, tempfilepath.toCharArray());
	if ((tempfilefd = mkstemp(tempfilepatharray)) < 0) {
#ifdef DGDEBUG
		std::cerr << "error creating temp " << tempfilepath << ": " << strerror(errno) << std::endl;
		syslog(LOG_ERR, "Could not create temp file to store download for scanning: %s", strerror(errno));
		tempfilefd = -1;
		tempfilepath = "";
	} else {
		tempfilepath = tempfilepatharray;
	return tempfilefd;

// check the client's user agent, see if we have a DM plugin compatible with it, and use it to download the body of the given request
bool DataBuffer::in(Socket * sock, Socket * peersock, HTTPHeader * requestheader, HTTPHeader * docheader, bool runav, int *headersent)
	//Socket *sock = where to read from
	//Socket *peersock = browser to send stuff to for keeping it alive
	//HTTPHeader *requestheader = header client used to request
	//HTTPHeader *docheader = header used for sending first line of reply
	//bool runav = to determine if limit is av or not
	//int *headersent = to use to send the first line of header if needed
	//				  or to mark that the header has already been sent

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.