alpine 3.6
shell weakness #50

4

Weakness Breakdown


Definition:

A shell weakness occurs when a program enables an attacker to execute unexpected commands on the operating system.

Warning code(s):

This causes a new program to execute and is difficult to use safely.

File Name:

gawk/src/gawk-4.1.4/io.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 shell weakness.

 			 * by explicit close() before reading more
			 */
			save_rp = NULL;
			return rp;
		}
		mode = NULL;
		errno = 0;
		switch (redirtype) {
		case redirect_output:
			mode = binmode("w");
			if ((rp->flag & RED_USED) != 0)
				mode = (rp->mode[1] == 'b') ? "ab" : "a";
			break;
		case redirect_append:
			mode = binmode("a");
			break;
		case redirect_pipe:
			/* synchronize output before new pipe */
			(void) flush_io();

			os_restore_mode(fileno(stdin));
#ifdef SIGPIPE
			signal(SIGPIPE, SIG_DFL);
#endif
			if ((rp->output.fp = popen(str, binmode("w"))) == NULL)
				fatal(_("can't open pipe '%s' for output (%s)"),
						str, strerror(errno));
#ifdef SIGPIPE
			signal(SIGPIPE, SIG_IGN);
#endif

			/* set close-on-exec */
			os_close_on_exec(fileno(rp->output.fp), str, "pipe", "to");
			rp->flag |= RED_NOBUF;
			break;
		case redirect_pipein:
			direction = "from";
			if (gawk_popen(str, rp) == NULL)
				fatal(_("can't open pipe '%s' for input (%s)"),
					str, strerror(errno));
			break;
		case redirect_input:
			direction = "from";
			fd = devopen(str, binmode("r"));
			if (fd == INVALID_HANDLE && errno == EISDIR) {
				*errflg = EISDIR;
				/* do not free rp, saving it for reuse (save_rp = rp) */
				return NULL;
			}
			rp->iop = iop_alloc(fd, str, errno); 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.