centos 6
tmpfile weakness #2

4

Weakness Breakdown


Definition:

A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:

byaccj1.14_src/src/main.c

Context:

The highlighted line of code below is the trigger point of this particular Centos 6 tmpfile weakness.

 	strcpy(output_file_name, tmpdir);

    if (len && tmpdir[len - 1] != '/')
    {
	action_file_name[len] = '/';
	text_file_name[len] = '/';
	union_file_name[len] = '/';
	output_file_name[len] = '/';
	++len;
    }

    strcpy(action_file_name + len, temp_form);
    strcpy(text_file_name + len, temp_form);
    strcpy(union_file_name + len, temp_form);
    strcpy(output_file_name + len, temp_form);

    action_file_name[len + 5] = 'a';
    text_file_name[len + 5] = 't';
    union_file_name[len + 5] = 'u';
	output_file_name[len + 5] = 'o';

    mktemp(action_file_name);
    mktemp(text_file_name);
    mktemp(union_file_name);
	mktemp(output_file_name);

    len = strlen(file_prefix);

    if (rflag)
    {
	code_file_name = MALLOC(len + strlen(CODE_SUFFIX) + 1);
	if (code_file_name == 0)
	    no_space();
	strcpy(code_file_name, file_prefix);
	strcpy(code_file_name + len, CODE_SUFFIX);
    }
    else
	code_file_name = output_file_name;

    if (dflag)
    {
	if (jflag)
        {
            jclass_len = strlen(jclass_name);
        
            defines_file_name = MALLOC(jclass_len + strlen(JAVA_INTERFACE_SUFFIX JAVA_OUTPUT_SUFFIX) + 1);/*rwj for 'Tokens.java\0' */
            if (defines_file_name == 0) no_space();
            strcpy(defines_file_name, jclass_name);
            strcpy(defines_file_name + jclass_len, JAVA_INTERFACE_SUFFIX JAVA_OUTPUT_SUFFIX);
            if (jimplement_name && strlen(jimplement_name)>0) 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.