alpine 3.7
tmpfile weakness #12

4

Weakness Breakdown


Definition:

A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:

openldap/src/openldap-2.4.46/libraries/liblutil/utils.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.7 tmpfile weakness.

 	
	while ((*a++ = *b++) && n-- > 0) ;
	return a-1;
}

/* memcopy is like memcpy except it returns a pointer to the byte past
 * the end of the result buffer, set to NULL. This allows fast construction
 * of catenated buffers.  Provided for API consistency with lutil_str*copy().
 */
char *
lutil_memcopy(
	char *a,
	const char *b,
	size_t n
)
{
	AC_MEMCPY(a, b, n);
	return a + n;
}

#ifndef HAVE_MKSTEMP
int mkstemp( char * template )
{
#ifdef HAVE_MKTEMP
	return open ( mktemp ( template ), O_RDWR|O_CREAT|O_EXCL, 0600 );
#else
	return -1;
#endif
}
#endif

#ifdef _MSC_VER
/* Equivalent of MS CRT's _dosmaperr().
 * @param lastError[in] Result of GetLastError().
 */
static errno_t win2errno(DWORD lastError)
{
	const struct { 
		DWORD   windows_code;
		errno_t errno_code;
	} WIN2ERRNO_TABLE[] = {
		{ ERROR_SUCCESS, 0 },
		{ ERROR_FILE_NOT_FOUND, ENOENT },
		{ ERROR_PATH_NOT_FOUND, ENOENT },
		{ ERROR_TOO_MANY_OPEN_FILES, EMFILE },
		{ ERROR_ACCESS_DENIED, EACCES },
		{ ERROR_INVALID_HANDLE, EBADF },
		{ ERROR_NOT_ENOUGH_MEMORY, ENOMEM },
		{ ERROR_LOCK_VIOLATION, EACCES },
		{ ERROR_FILE_EXISTS, EEXIST }, 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.