centos 7
tmpfile weakness #12

4

Weakness Breakdown


Definition:

A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:

librepo-1.8.1/tests/test_downloader.c

Context:

The highlighted line of code below is the trigger point of this particular Centos 7 tmpfile weakness.

     int ret;
    LrHandle *handle;
    GSList *list = NULL;
    GError *err = NULL;
    int fd1;
    char *tmpfn1;
    LrDownloadTarget *t1;
    GError *tmp_err = NULL;

    // Prepare handle

    handle = lr_handle_init();
    fail_if(handle == NULL);

    char *urls[] = {"http://www.google.com", NULL};
    lr_handle_setopt(handle, NULL, LRO_URLS, urls);
    lr_handle_prepare_internal_mirrorlist(handle, FALSE, &tmp_err);
    fail_if(tmp_err);


    // Prepare list of download targets

    tmpfn1 = lr_pathconcat(test_globals.tmpdir, "single_file_XXXXXX", NULL);

    mktemp(tmpfn1);
    fd1 = open(tmpfn1, O_RDWR|O_CREAT|O_TRUNC, 0666);
    lr_free(tmpfn1);
    fail_if(fd1 < 0);

    t1 = lr_downloadtarget_new(handle, "index.html", NULL, fd1, NULL, NULL,
                               0, 0, NULL, NULL, NULL, NULL, NULL, 0, 0, FALSE);
    fail_if(!t1);

    list = g_slist_append(list, t1);

    // Download

    ret = lr_download(list, FALSE, &err);
    fail_if(!ret);
    fail_if(err);

    lr_handle_free(handle);

    // Check results

    for (GSList *elem = list; elem; elem = g_slist_next(elem)) {
            LrDownloadTarget *dtarget = elem->data;
            if (dtarget->err) {
                printf("Error msg: %s\n", dtarget->err);
                ck_abort(); 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.