centos 7
tmpfile weakness #11

4

Weakness Breakdown


Definition:

A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:

sane-backends-1.0.24/backend/bh.c

Context:

The highlighted line of code below is the trigger point of this particular Centos 7 tmpfile weakness.

       if (s->readptr < s->readcnt)
	{
	  SANE_Byte itemtype;

	  for (; s->readptr < s->readcnt; s->readptr++)
	    {

	      itemtype = s->readlist[s->readptr];

	      DBG(3, "start_scan: advance readlist(%d, %d)\n",
		  s->readptr, 
		  (int) itemtype);

	      /* 'dance' by the non-SANE data streams
	       * like bar/patch code data
	       */
	      if (!BH_HAS_IMAGE_DATA(itemtype))
		{
		  int fd;
		  FILE *fp;

		  strncpy(s->barfname, "/tmp/bhXXXXXX", sizeof(s->barfname));
		  s->barfname[sizeof(s->barfname)-1] = '\0';

		  if ((mktemp(s->barfname) == NULL) &&
		      ((fd = open(s->barfname, O_CREAT | O_EXCL | O_WRONLY, 0600)) != -1) &&
		      ((fp = fdopen(fd, "w")) != NULL))
		    {
		      fprintf(fp, "<xml-stream>\n");

		      for (; 
			   s->readptr < s->readcnt && 
			     status == SANE_STATUS_GOOD; 
			   s->readptr++)
			{
			  if (s->readlist[s->readptr] == 
			      BH_SCSI_READ_TYPE_SENDBARFILE) {
			    break;
			  }
			  status = read_barcode_data(s, fp);
			  if (status != SANE_STATUS_GOOD) break;
			}

		      fprintf(fp, "</xml-stream>\n");

		      /* close file; re-open for read(setting s->barfd) */
		      fclose(fp);
		      if ((s->barf = fopen(s->barfname, "r")) == NULL)
			{
			  DBG(1, "sane_start: error opening barfile '%s'\n",  

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.