centos 6
tmpfile weakness #20

4

Weakness Breakdown


Definition:

A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:

apache-jasper-5.5.28/apache-tomcat-5.5.28-src/connectors/jni/native/src/file.c

Context:

The highlighted line of code below is the trigger point of this particular Centos 6 tmpfile weakness.

 TCN_IMPLEMENT_CALL(jint, File, trunc)(TCN_STDARGS, jlong file, jlong off)
{
    apr_file_t *f = J2P(file, apr_file_t *);
    UNREFERENCED_STDARGS;
    return (jint)apr_file_trunc(f, (apr_off_t)off);
}

TCN_IMPLEMENT_CALL(jlong, File, open)(TCN_STDARGS, jstring fname,
                                      jint flag, jint perm,
                                      jlong pool)
{
    apr_pool_t *p = J2P(pool, apr_pool_t *);
    apr_file_t *f = NULL;
    TCN_ALLOC_CSTRING(fname);

    UNREFERENCED(o);
    TCN_THROW_IF_ERR(apr_file_open(&f, J2S(fname), (apr_int32_t)flag,
                     (apr_fileperms_t)perm, p), f);

cleanup:
    TCN_FREE_CSTRING(fname);
    return P2J(f);
}

TCN_IMPLEMENT_CALL(jlong, File, mktemp)(TCN_STDARGS, jstring templ,
                                      jint flags,
                                      jlong pool)
{
    apr_pool_t *p = J2P(pool, apr_pool_t *);
    apr_file_t *f = NULL;
    char *ctempl = tcn_strdup(e, templ);

    UNREFERENCED(o);
    if (!ctempl) {
       TCN_THROW_OS_ERROR(e);
       return 0;
    }
    TCN_THROW_IF_ERR(apr_file_mktemp(&f, ctempl,
                     (apr_int32_t)flags, p), f);

cleanup:
    free(ctempl);
    return P2J(f);
}

TCN_IMPLEMENT_CALL(jint, File, remove)(TCN_STDARGS, jstring path, jlong pool)
{
    apr_pool_t *p = J2P(pool, apr_pool_t *);
    TCN_ALLOC_CSTRING(path);
    apr_status_t rv; 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.