centos 6
tmpfile weakness #50

4

Weakness Breakdown


Definition:

A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:

glibc-2.12-2-gc4ccff1/stdlib/test-canon2.c

Context:

The highlighted line of code below is the trigger point of this particular Centos 6 tmpfile weakness.

 /* We have a preparation function.  */
#define PREPARE do_prepare

#include <test-skeleton.c>

/* Name of the temporary files we create.  */
char *name1;
char *name2;

/* Preparation.  */
void
do_prepare (int argc, char *argv[])
{
  size_t test_dir_len;

  test_dir_len = strlen (test_dir);

  /* Generate the circular symlinks.  */
  name1 = malloc (test_dir_len + sizeof ("/canonXXXXXX"));
  mempcpy (mempcpy (name1, test_dir, test_dir_len),
	   "/canonXXXXXX", sizeof ("/canonXXXXXX"));
  name2 = strdup (name1);

  add_temp_file (mktemp (name1));
  add_temp_file (mktemp (name2));
}


/* Run the test.  */
int
do_test (int argc, char *argv[])
{
  char *canon;

  printf ("create symlinks from %s to %s and vice versa\n", name1, name2);
  if (symlink (name1, name2) == -1
      || symlink (name2, name1) == -1)
    /* We cannot test this.  */
    return 0;

  /* Call the function.  This is equivalent the using 'realpath' but the
     function allocates the room for the result.  */
  errno = 0;
  canon = canonicalize_file_name (name1);

  return canon != NULL || errno != ELOOP;
} 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.