alpine 3.9
race weakness #10

5

Weakness Breakdown


Definition:

A race condition exists when parallel code accesses shared data without proper coordination. An attack that uses a race-condition weakness takes advantage of the unsafe data access to manipulate how one of the parallel sections of code reacts. Even though each process runs as intended, the outcome is unexpected. For example, consider a bank service that depends on an encryption key that it reads from a known location. An independent cryptography service is responsible for generating the key and placing it where the bank is expected to read it in a timely manner. If the bank and cryptography services do not coordinate with each other, then the bank may read a blank encryption key before cryptography writes the key to the location. This can effectively turn off all encryption for the bank without either service, or the administrator, knowing that something has gone wrong.

Warning code(s):

This accepts filename arguments; if an attacker can move those files, a race condition results..

File Name:

cgdb/src/cgdb-0.7.0/lib/util/pseudo.cpp

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.9 race weakness.

 /* pty_release: Releases the slave tty device whose name is in slavename.
 *
 * slavename: the device name of the slave side of the pseudo terminal
 * Returns  : 0 on success or -1 on error.
 *
 * Note: Its ownership is returned to root, and its permissions set to 
 * rw-rw-rw-. Note that only root can execute this function successfully 
 * on most systems. 
 */
int pty_release(const char *slavename)
{
    if (!slavename)
        return set_errno(EINVAL);

    /**
     * Intentionally not checking errors below, as the note above indicates
     * that non root users typically fail here. I'm unaware if this code is
     * even necessary to execute on certain systems. Since this came with
     * the pseudo library, I'm assuming it is useful in some configurations.
     * The solution was to ignore errors on systems that don't allow the
     * following calls.
     */
    chown(slavename, (uid_t) 0, (gid_t) 0);

    chmod(slavename, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH);

    return 0;
}

/* pty_set_owner: Changes the ownership of the slave pty device referred to by
 *                slavename to the user id uid.
 *
 * slavename: the device name of the slave side of the pseudo terminal
 * uid      : The new desired user id.
 * Returns  : 0 on success or -1 on error.
 *
 * NOTE: Group ownership of the slave pty device will be changed
 * to the tty group if it exists. Otherwise, it will be changed to the given
 * user's primary group. The slave pty device's permissions are set to
 * rw--w----. Note that only root can execute this function successfully on
 * most systems. Also note that the ownership of the device is automatically
 * set to the real uid of the process by pty_open() and pty_fork(). The
 * permissions are also set automatically by these functions. So
 * pty_set_owner() is only needed when the device needs to be owned by some
 * user other than the real user. 
 */
int pty_set_owner(const char *slavename, uid_t uid)
{
    mode_t mode = S_IRUSR | S_IWUSR | S_IWGRP;
    struct stat status[1]; 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.