alpine 3.7
tmpfile weakness #48

4

Weakness Breakdown


Definition:

A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:

ckermit/src/ckcftp.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.7 tmpfile weakness.

     char *cp, *mode;

    if (!mflag) {
        if (!doglob) {
            args = NULL;
        } else {
            if (ftemp) {
                (void) fclose(ftemp);
                ftemp = NULL;
            }
        }
        return(NULL);
    }
    if (!doglob) {
        if (args == NULL)
          args = argv;
        if ((cp = *++args) == NULL)
          args = NULL;
        return(cp);
    }
    if (ftemp == NULL) {
        (void) strcpy(temp, _PATH_TMP);
#ifdef MKTEMP
#ifndef MKSTEMP
        (void) mktemp(temp);
#endif /* MKSTEMP */
#endif /* MKTEMP */
        verbose = 0;
        oldhash = hash, hash = 0;
#ifdef FTP_PROXY
        if (doswitch) {
            pswitch(!proxy);
        }
#endif /* FTP_PROXY */
        for (mode = "wb"; *++argv != NULL; mode = "ab")
          recvrequest ("NLST", temp, *argv, mode, 0);
#ifdef FTP_PROXY
        if (doswitch) {
            pswitch(!proxy);
        }
#endif /* FTP_PROXY */
        hash = oldhash;
        ftemp = fopen(temp, "r");
        unlink(temp);
        if (ftemp == NULL && (!dpyactive || ftp_deb)) {
            printf("Can't find list of remote files, oops\n");
            return(NULL);
        }
    }
    if (fgets(buf, CKMAXPATH, ftemp) == NULL) { 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.