centos 7
tmpfile weakness #18

4

Weakness Breakdown


Definition:

A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:

librepo-1.8.1/tests/test_downloader.c

Context:

The highlighted line of code below is the trigger point of this particular Centos 7 tmpfile weakness.

     GError *err = NULL;
    int fd1, fd2, fd3;
    char *tmpfn1, *tmpfn2, *tmpfn3;
    LrDownloadTarget *t1, *t2, *t3;
    GError *tmp_err = NULL;

    // Prepare handle

    handle = lr_handle_init();
    fail_if(handle == NULL);

    char *urls[] = {"http://www.google.com", NULL};
    lr_handle_setopt(handle, NULL, LRO_URLS, urls);
    lr_handle_prepare_internal_mirrorlist(handle, FALSE, &tmp_err);
    fail_if(tmp_err);

    // Prepare list of download targets

    tmpfn1 = lr_pathconcat(test_globals.tmpdir, "single_file_1_XXXXXX", NULL);
    tmpfn2 = lr_pathconcat(test_globals.tmpdir, "single_file_2_XXXXXX", NULL);
    tmpfn3 = lr_pathconcat(test_globals.tmpdir, "single_file_3_XXXXXX", NULL);

    mktemp(tmpfn1);
    mktemp(tmpfn2);
    mktemp(tmpfn3);
    fd1 = open(tmpfn1, O_RDWR|O_CREAT|O_TRUNC, 0666);
    fd2 = open(tmpfn2, O_RDWR|O_CREAT|O_TRUNC, 0666);
    fd3 = open(tmpfn3, O_RDWR|O_CREAT|O_TRUNC, 0666);
    lr_free(tmpfn1);
    lr_free(tmpfn2);
    lr_free(tmpfn3);
    fail_if(fd1 < 0);
    fail_if(fd2 < 0);
    fail_if(fd3 < 0);

    t1 = lr_downloadtarget_new(handle, "index.html", NULL, fd1, NULL, NULL,
                               0, 0, NULL, NULL, NULL, NULL, NULL, 0, 0, FALSE);
    fail_if(!t1);

    t2 = lr_downloadtarget_new(handle, "index.html", "http://seznam.cz", fd2,
                               NULL, NULL, 0, 0, NULL, NULL, NULL, NULL,
                               NULL, 0, 0, FALSE);
    fail_if(!t2);

    t3 = lr_downloadtarget_new(handle, "i_hope_this_page_doesnt_exists.html",
                               "http://google.com", fd3, NULL, NULL,
                               0, 0, NULL, NULL, NULL, NULL, NULL, 0, 0, FALSE);
    fail_if(!t3);

    list = g_slist_append(list, t1); 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.