alpine 3.8
tmpfile weakness #37


Weakness Breakdown


A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:



The highlighted line of code below is the trigger point of this particular Alpine 3.8 tmpfile weakness.

 // Implementation of mkstemp for windows found on pan-devel mailing
// list archive
// @
#ifndef _S_IREAD
  #define _S_IREAD 256

#ifndef _S_IWRITE
  #define _S_IWRITE 128

#ifndef O_BINARY
  #define O_BINARY 0

#ifndef _O_SHORT_LIVED
  #define _O_SHORT_LIVED 0

#ifdef _MSC_VER
  #include <fcntl.h>
int mkstemp(char *tmpl)
   int ret=-1;
   return ret;

#ifndef O_BINARY
#define O_BINARY 0

#ifndef _O_SHORT_LIVED
#define _O_SHORT_LIVED 0

static string xml_lt("&lt;");
static string xml_gt("&gt;");
static string xml_am("&amp;");
static string xml_ap("&apos;");
static string xml_qu("&quot;");

#if _MSC_VER
//Internal gettimeofday for windows builds
static int gettimeofday(struct timeval *tp, void* tzp){
    tp->tv_sec = time(0);
    return 0; 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.