alpine 3.6
shell weakness #79

4

Weakness Breakdown


Definition:

A shell weakness occurs when a program enables an attacker to execute unexpected commands on the operating system.

Warning code(s):

This causes a new program to execute and is difficult to use safely.

File Name:

kyua/src/kyua-0.13/utils/fs/operations.cpp

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 shell weakness.

         throw fs::system_error(F("unmount(%s) failed") % mount_point,
                               original_errno);
    }
}


/// Unmounts a file system using umount(8).
///
/// \pre umount(2) must not be available; i.e. have_unmount2 must be false.
///
/// \param mount_point The file system to unmount.
///
/// \throw fs::error If the execution of umount(8) fails.
static void
unmount_with_umount8(const fs::path& mount_point)
{
    PRE(!have_unmount2);

    const pid_t pid = ::fork();
    if (pid == -1) {
        const int original_errno = errno;
        throw fs::system_error("Cannot fork to execute unmount tool",
                               original_errno);
    } else if (pid == 0) {
        const int ret = ::execlp(UMOUNT, "umount", mount_point.c_str(), NULL);
        INV(ret == -1);
        std::cerr << "Failed to exec " UMOUNT "\n";
        std::exit(EXIT_FAILURE);
    }

    int status;
retry:
    if (::waitpid(pid, &status, 0) == -1) {
        const int original_errno = errno;
        if (errno == EINTR)
            goto retry;
        throw fs::system_error("Failed to wait for unmount subprocess",
                               original_errno);
    }

    if (WIFEXITED(status)) {
        if (WEXITSTATUS(status) == EXIT_SUCCESS)
            return;
        else
            throw fs::error(F("Failed to unmount %s; returned exit code %s")
                              % mount_point % WEXITSTATUS(status));
    } else
        throw fs::error(F("Failed to unmount %s; unmount tool received signal")
                        % mount_point);
} 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.