centos 7
tmpfile weakness #35

4

Weakness Breakdown


Definition:

A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:

ocaml-4.05.0/yacc/main.c

Context:

The highlighted line of code below is the trigger point of this particular Centos 7 tmpfile weakness.

     strcpy(union_file_name + len, temp_form);

    action_file_name[len + 5] = 'a';
    entry_file_name[len + 5] = 'e';
    text_file_name[len + 5] = 't';
    union_file_name[len + 5] = 'u';

#ifdef HAS_MKSTEMP
    action_fd = mkstemp(action_file_name);
    if (action_fd == -1)
        open_error(action_file_name);
    entry_fd = mkstemp(entry_file_name);
    if (entry_fd == -1)
        open_error(entry_file_name);
    text_fd = mkstemp(text_file_name);
    if (text_fd == -1)
        open_error(text_file_name);
    union_fd = mkstemp(union_file_name);
    if (union_fd == -1)
        open_error(union_file_name);
#else
    mktemp(action_file_name);
    mktemp(entry_file_name);
    mktemp(text_file_name);
    mktemp(union_file_name);
#endif

    len = strlen(file_prefix);

    output_file_name = MALLOC(len + 7);
    if (output_file_name == 0)
        no_space();
    strcpy(output_file_name, file_prefix);
    strcpy(output_file_name + len, OUTPUT_SUFFIX);

    code_file_name = output_file_name;

    if (vflag)
    {
        verbose_file_name = MALLOC(len + 8);
        if (verbose_file_name == 0)
            no_space();
        strcpy(verbose_file_name, file_prefix);
        strcpy(verbose_file_name + len, VERBOSE_SUFFIX);
    }

    interface_file_name = MALLOC(len + 8);
    if (interface_file_name == 0)
        no_space();
    strcpy(interface_file_name, file_prefix); 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.