alpine 3.6
shell weakness #80

4

Weakness Breakdown


Definition:

A shell weakness occurs when a program enables an attacker to execute unexpected commands on the operating system.

Warning code(s):

This causes a new program to execute and is difficult to use safely.

File Name:

kyua/src/kyua-0.13/utils/process/isolation_test.cpp

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 shell weakness.

 /// failure otherwise.
static void
check_new_session(void)
{
    process::isolate_child(none, fs::path("."));
    std::exit(::getsid(::getpid()) == ::getpid() ? EXIT_SUCCESS : EXIT_FAILURE);
}


/// Subprocess that validates the disconnection from any terminal.
///
/// \post Exits with success if the environment is clean; failure otherwise.
static void
check_no_terminal(void)
{
    process::isolate_child(none, fs::path("."));

    const char* const args[] = {
        "/bin/sh",
        "-i",
        "-c",
        "echo success",
        NULL
    };
    ::execv("/bin/sh", UTILS_UNCONST(char*, args));
    std::abort();
}


/// Subprocess that validates that it has become the leader of a process group.
///
/// \post Exits with success if the process lives in its own process group;
/// failure otherwise.
static void
check_process_group(void)
{
    process::isolate_child(none, fs::path("."));
    std::exit(::getpgid(::getpid()) == ::getpid() ?
              EXIT_SUCCESS : EXIT_FAILURE);
}


/// Subprocess that validates that the umask has been reset.
///
/// \post Exits with success if the umask matches the expected value; failure
/// otherwise.
static void
check_umask(void)
{
    process::isolate_child(none, fs::path(".")); 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.