alpine 3.9
tmpfile weakness #65

4

Weakness Breakdown


Definition:

A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:

motif/src/motif-2.3.4/tests/Performance/Startup/editor.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.9 tmpfile weakness.

    /* make appropriate item sensitive */
   XtSetSensitive(text, True);
   XtSetSensitive(cut_button, True);
   XtSetSensitive(copy_button, True);
   XtSetSensitive(clear_button, True);

   return(True);
}


/*-------------------------------------------------------------
**	SaveFile
**		Save the present file.
*/
Boolean SaveFile()
{
    char   * file_string = NULL;    /* Contents of file.		   */
    FILE   *tfp;	            /* Pointer to open temporary file.     */
    char   namebuf[BUFSIZ];         /* for "system" call below             */
    int	   status;
    char   *tempname = (char *)XtMalloc(25); /* Temporary file name. 	   */

    strcpy(tempname, "/tmp/xmeditXXXXXX");
    
    if ((tfp = fopen(mktemp(tempname), "w")) == NULL) {
       fprintf(stderr, "Warning: unable to open temp file, text not saved.\n");
       return(False);;
    }

    /* get the text string */
    file_string = XmTextGetString(text);

    /* write to a temp file */
    fwrite(file_string, sizeof(char), strlen(file_string) + 1, tfp);

    /* flush and close the temp file */
    if (fflush(tfp) != NULL) fprintf(stderr,"Warning: unable to flush file.\n");
    if (fclose(tfp) != NULL) fprintf(stderr,"Warning: unable to close file.\n");

    if (file_string != NULL) {
        XtFree(file_string); /* free the text string */
    }

    /* move the tempname to the saved file, but do it independent
	   of filesystem boundaries */
	sprintf (namebuf, "cp %s %s\0", tempname, filename);
	status = system(namebuf);
	unlink (tempname);
	if (status == 0) {
        file_saved = True; 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.