alpine 3.7
tmpfile weakness #2

4

Weakness Breakdown


Definition:

A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:

dos2unix/src/dos2unix-7.4.0/common.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.7 tmpfile weakness.

   if (! fname_str)
    return NULL;
  if (d2u_WideCharToMultiByte(CP_UTF8, 0, szTempFileNamew, -1, fname_str, MAX_PATH, NULL, NULL) == 0)
    return NULL;
#else
  uRetVal = GetTempFileNameA(dn, bn, 0, szTempFileName);
  free(cpy1);
  free(cpy2);
  if (! uRetVal) {
    d2u_PrintLastError("dos2unix");
    return NULL;
  }
  len = strlen(szTempFileName) +1;
  fname_str = (char *)malloc(len);
  if (! fname_str)
    return NULL;
  d2u_strncpy(fname_str, szTempFileName,len);
#endif
  /* replace all back slashes with slashes */
  while ( (ptr = strchr(fname_str,'\\')) != NULL)
    *ptr = '/';
  return fname_str;

#else
  return mktemp(template);
#endif
}
#endif

FILE* MakeTempFileFrom(const char *OutFN, char **fname_ret)
{
  char *cpy = strdup(OutFN);
  char *dir = NULL;
  size_t fname_len = 0;
  char  *fname_str = NULL;
  FILE *fp = NULL;  /* file pointer */
#ifdef NO_MKSTEMP
  char *name;
#else
  int fd = -1;  /* file descriptor */
#endif

  *fname_ret = NULL;

  if (!cpy)
    goto make_failed;

  dir = dirname(cpy);

  fname_len = strlen(dir) + strlen("/d2utmpXXXXXX") + sizeof (char); 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.