centos 7
tmpfile weakness #10


Weakness Breakdown


A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:



The highlighted line of code below is the trigger point of this particular Centos 7 tmpfile weakness.

 sane_start (SANE_Handle handle)
  int mode;
  char *mode_str;
  CANON_Scanner *s = handle;
  SANE_Status status;
  u_char wbuf[72], dbuf[28], ebuf[72];
  u_char cbuf[2];			/* modification for FB620S */
  size_t buf_size, i;

  char tmpfilename[] = "/tmp/canon.XXXXXX"; /* for FB1200S */
  char *thistmpfile; /* for FB1200S */

  DBG (1, ">> sane_start\n");

  s->tmpfile = -1; /* for FB1200S */

/******* making a tempfile for 1200 dpi scanning of FB1200S ******/
  if (s->hw->info.model == FB1200)
      thistmpfile = strdup(tmpfilename);

      if (thistmpfile != NULL)
          if (mktemp(thistmpfile) == 0)
              DBG(1, "mktemp(thistmpfile) is failed\n");
              return (SANE_STATUS_INVAL);
	  DBG(1, "strdup(thistmpfile) is failed\n");
	  return (SANE_STATUS_INVAL);

      s->tmpfile = open(thistmpfile, O_RDWR | O_CREAT | O_EXCL, 0600);

      if (s->tmpfile == -1)
	  DBG(1, "error opening temp file %s\n", thistmpfile);
	  DBG(1, "errno: %i; %s\n", errno, strerror(errno));
	  errno = 0;
	  return (SANE_STATUS_INVAL);
      DBG(1, " ****** tmpfile is opened ****** \n");

      free (thistmpfile);
      DBG(1, "free thistmpfile\n"); 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.