alpine 3.8
tmpfile weakness #24


Weakness Breakdown


A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:



The highlighted line of code below is the trigger point of this particular Alpine 3.8 tmpfile weakness.

     fatal(" Internal error ('fork' not implemented)");
    /* NOT REACHED */
    return -1;

	 * Simulate pipes using temporary files; hope that the user
	 * doesn't expect pipe i/o to be interleaved with other i/o ;-}.
	 * This was initially based on the MSDOS version, but cannot
	 * use a static array to hold pipe info, because there's no
	 * fixed limit on the range of valid 'fileno's.  Another
	 * difference is that redirection is handled using LIB$ SPAWN
	 * rather than constructing a command for system() which uses
	 * '<' or '>'.
#include "vms.h"
#include <errno.h>
#include <lnmdef.h>	/* logical name definitions */

extern int strcmp(const char*, const char *);
extern char *mktemp(char *);

static void push_logicals(void);
static void pop_logicals(void);
static Itm *save_translation(const struct dsc$ descriptor_s *);
static void restore_translation(const struct dsc$ descriptor_s *, const Itm *);

typedef enum { unopened = 0, reading, writing } pipemode;
typedef struct pipe_info {
    char *command;
    char *name;
    pipemode pmode;
static PIPE *pipes;
static int pipes_lim = 0;

#define psize(n) ((n) * sizeof(PIPE))
#define expand_pipes(k) do {  PIPE *new_p; \
	int new_p_lim = ((k) / _NFILE + 1) * _NFILE; \
	emalloc(new_p, PIPE *, psize(new_p_lim), "expand_pipes"); \
	if (pipes_lim > 0) \
		memcpy(new_p, pipes, psize(pipes_lim)),  free(pipes); \
	memset(new_p + psize(pipes_lim), 0, psize(new_p_lim - pipes_lim)); \
	pipes = new_p,  pipes_lim = new_p_lim;  } while(0)


The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.