centos 7
tmpfile weakness #15

4

Weakness Breakdown


Definition:

A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:

librepo-1.8.1/tests/test_downloader.c

Context:

The highlighted line of code below is the trigger point of this particular Centos 7 tmpfile weakness.

         GSList *list = NULL;
        GError *err = NULL;
        int fd1;
        char *tmpfn1;
        LrDownloadTargetChecksum *checksum;
        GSList *checksums = NULL;
        LrDownloadTarget *t1;
        GError *tmp_err = NULL;

        // Prepare handle

        handle = lr_handle_init();
        fail_if(handle == NULL);

        char *urls[] = {"file:///", NULL};
        lr_handle_setopt(handle, NULL, LRO_URLS, urls);
        lr_handle_prepare_internal_mirrorlist(handle, FALSE, &tmp_err);
        fail_if(tmp_err);


        // Prepare list of download targets

        tmpfn1 = lr_pathconcat(test_globals.tmpdir, "single_file_XXXXXX", NULL);

        mktemp(tmpfn1);
        fd1 = open(tmpfn1, O_RDWR|O_CREAT|O_TRUNC, 0666);
        lr_free(tmpfn1);
        fail_if(fd1 < 0);

        checksum = lr_downloadtargetchecksum_new(LR_CHECKSUM_SHA512,
                                                 tests[i].sha512);
        checksums = g_slist_append(checksums, checksum);

        t1 = lr_downloadtarget_new(handle, "dev/null", NULL, fd1, NULL, checksums,
                                   0, 0, NULL, NULL, NULL, NULL, NULL, 0, 0, FALSE);
        fail_if(!t1);

        list = g_slist_append(list, t1);

        // Download

        ret = lr_download(list, FALSE, &err);
        fail_if(!ret);
        fail_if(err);

        lr_handle_free(handle);

        // Check results

        for (GSList *elem = list; elem; elem = g_slist_next(elem)) { 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.