alpine 3.6
shell weakness #11

4

Weakness Breakdown


Definition:

A shell weakness occurs when a program enables an attacker to execute unexpected commands on the operating system.

Warning code(s):

This causes a new program to execute and is difficult to use safely.

File Name:

gnome-vfs/src/gnome-vfs-2.24.4/libgnomevfs/gnome-vfs-pty.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 shell weakness.

 	/* Initialize so valgrind doesn't complain */
	c = 0;
	n_write(ready_writer, &c, 1);
	fsync(ready_writer);
	n_read(ready_reader, &c, 1);
#ifdef GNOME_VFS_DEBUG
	if (_gnome_vfs_debug_on(GNOME_VFS_DEBUG_PTY)) {
		fprintf(stderr, "Child received parent-ready.\n");
	}
#endif
	close(ready_writer);
	if (ready_writer != ready_reader) {
		close(ready_reader);
	}

	/* If the caller provided a command, we can't go back, ever. */
	if (command != NULL) {
		/* Outta here. */
		if (argv != NULL) {
			for (i = 0; (argv[i] != NULL); i++) ;
			args = g_malloc0(sizeof(char*) * (i + 1));
			for (i = 0; (argv[i] != NULL); i++) {
				args[i] = g_strdup(argv[i]);
			}
			execvp(command, args);
		} else {
			arg = g_strdup(command);
			execlp(command, arg, NULL);
		} 

		/* Avoid calling any atexit() code. */
		_exit(0);
		g_assert_not_reached();
	}

	return 0;
}

/* Open the named PTY slave, fork off a child (storing its PID in child),
 * and exec the named command in its own session as a process group leader */
static int
_gnome_vfs_pty_fork_on_pty_name(const char *path, int parent_fd, char **env_add,
				const char *command, char **argv,
				const char *directory,
				int columns, int rows, 
				int *stdin_fd, int *stdout_fd, int *stderr_fd, 
				pid_t *child, gboolean reapchild, gboolean login)
{
	int fd, i;
	char c; 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.