alpine 3.7
tmpfile weakness #24

4

Weakness Breakdown


Definition:

A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:

ckermit/src/ckcftp.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.7 tmpfile weakness.

 #ifdef UNIX                             /* Systems that have a standard */
                p = "/tmp/";            /* temporary directory... */
#else
#ifdef datageneral
            p = ":TMP:";
#else
            p = "";
#endif /* datageneral */
#endif /* UNIX */
        }
        debug(F110,"ftp remote_files p",p,0);

	/* Get temp file */

	if ((tmpfilnam[mlsdepth] = (char *)malloc(CKMAXPATH+1))) {
	    ckmakmsg((char *)tmpfilnam[mlsdepth],
		     CKMAXPATH+1,p,"ckXXXXXX",NULL,NULL);
	} else {
	    printf("?Malloc failure: remote_files()\n");
	    return(NULL);
	}

#ifdef NT
	{
	    char * tmpfil = mktemp((char *)tmpfilnam[mlsdepth]);
	    if ( tmpfil )
		ckstrncpy(tmpfilnam[mlsdepth],tmpfil,CKMAXPATH+1);
	}
#else /* NT */
#ifdef MKTEMP
#ifdef MKSTEMP
	x = mkstemp((char *)tmpfilnam[mlsdepth]);
	if (x > -1) close(x);		/* We just want the name. */
#else
        mktemp((char *)tmpfilnam[mlsdepth]);
#endif /* MKSTEMP */
        /* if no mktmpnam() the name will just be "ckXXXXXX"... */
#endif /* MKTEMP */
#endif /* NT */

	debug(F111,"ftp remote_files tmpfilnam[mlsdepth]",
	      tmpfilnam[mlsdepth],mlsdepth);

#ifdef FTP_PROXY
        if (proxy_switch) {
            pswitch(!proxy);
        }
#endif /* FTP_PROXY */

        debug(F101,"ftp remote_files ftp_xla","",ftp_xla); 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.