alpine 3.9
tmpfile weakness #70

4

Weakness Breakdown


Definition:

A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:

motif/src/motif-2.3.4/config/imake/imake.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.9 tmpfile weakness.

 		ptoken = pbuf+1;
		while (*ptoken == ' ' || *ptoken == '\t')
			ptoken++;
		pend = ptoken;
		while (*pend && *pend != ' ' && *pend != '\t' && *pend != '\n')
			pend++;
		savec = *pend;
		*pend = '\0';
		if (strcmp(ptoken, "define") &&
		    strcmp(ptoken, "if") &&
		    strcmp(ptoken, "ifdef") &&
		    strcmp(ptoken, "ifndef") &&
		    strcmp(ptoken, "include") &&
		    strcmp(ptoken, "line") &&
		    strcmp(ptoken, "else") &&
		    strcmp(ptoken, "elif") &&
		    strcmp(ptoken, "endif") &&
		    strcmp(ptoken, "error") &&
		    strcmp(ptoken, "pragma") &&
		    strcmp(ptoken, "undef")) {
		    if (outFile == NULL) {
		        int fd;
			tmpImakefile = Strdup(tmpImakefile);
#ifndef HAS_MKSTEMP
			if (mktemp(tmpImakefile) == NULL ||
			    (outFile = fopen(tmpImakefile, "w+")) == NULL) {
			    LogFatal("Cannot open %s for write.",
				tmpImakefile);
			}
#else
			fd=mkstemp(tmpImakefile);
			if (fd != -1)
			    outFile = fdopen(fd, "w");
			if (outFile == NULL) {
			    if (fd != -1) {
			       unlink(tmpImakefile); close(fd);
			    }
			    LogFatal("Cannot open %s for write.",
				tmpImakefile);
			}
#endif
		    }
		    writetmpfile(outFile, punwritten, pbuf-punwritten,
				 tmpImakefile);
		    if (ptoken > pbuf + 1)
			writetmpfile(outFile, "XCOMM", 5, tmpImakefile);
		    else
			writetmpfile(outFile, "XCOMM ", 6, tmpImakefile);
		    punwritten = pbuf + 1;
		} 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.