alpine 3.7
tmpfile weakness #47

4

Weakness Breakdown


Definition:

A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:

ckermit/src/ckcftp.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.7 tmpfile weakness.

         debug(F110,"ftp remote_files p",p,0);

	/* Get temp file */

	if ((tmpfilnam[mlsdepth] = (char *)malloc(CKMAXPATH+1))) {
	    ckmakmsg((char *)tmpfilnam[mlsdepth],
		     CKMAXPATH+1,p,"ckXXXXXX",NULL,NULL);
	} else {
	    printf("?Malloc failure: remote_files()\n");
	    return(NULL);
	}

#ifdef NT
	{
	    char * tmpfil = mktemp((char *)tmpfilnam[mlsdepth]);
	    if ( tmpfil )
		ckstrncpy(tmpfilnam[mlsdepth],tmpfil,CKMAXPATH+1);
	}
#else /* NT */
#ifdef MKTEMP
#ifdef MKSTEMP
	x = mkstemp((char *)tmpfilnam[mlsdepth]);
	if (x > -1) close(x);		/* We just want the name. */
#else
        mktemp((char *)tmpfilnam[mlsdepth]);
#endif /* MKSTEMP */
        /* if no mktmpnam() the name will just be "ckXXXXXX"... */
#endif /* MKTEMP */
#endif /* NT */

	debug(F111,"ftp remote_files tmpfilnam[mlsdepth]",
	      tmpfilnam[mlsdepth],mlsdepth);

#ifdef FTP_PROXY
        if (proxy_switch) {
            pswitch(!proxy);
        }
#endif /* FTP_PROXY */

        debug(F101,"ftp remote_files ftp_xla","",ftp_xla);
        debug(F101,"ftp remote_files ftp_csl","",ftp_csl);
        debug(F101,"ftp remote_files ftp_csr","",ftp_csr);

#ifndef NOCSETS
        xlate = ftp_xla;                /* SET FTP CHARACTER-SET-TRANSLATION */
        if (xlate) {                    /* ON? */
            lcs = ftp_csl;              /* Local charset */
            if (lcs < 0) lcs = fcharset;
            if (lcs < 0) xlate = 0;
        } 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.