fedora 23
race weakness #3

5

Weakness Breakdown


Definition:

A race condition exists when parallel code accesses shared data without proper coordination. An attack that uses a race-condition weakness takes advantage of the unsafe data access to manipulate how one of the parallel sections of code reacts. Even though each process runs as intended, the outcome is unexpected. For example, consider a bank service that depends on an encryption key that it reads from a known location. An independent cryptography service is responsible for generating the key and placing it where the bank is expected to read it in a timely manner. If the bank and cryptography services do not coordinate with each other, then the bank may read a blank encryption key before cryptography writes the key to the location. This can effectively turn off all encryption for the bank without either service, or the administrator, knowing that something has gone wrong.

Warning code(s):

This accepts filename arguments; if an attacker can move those files, a race condition results..

File Name:

4pane-4.0/Filetypes.cpp

Context:

The highlighted line of code below is the trigger point of this particular Fedora 23 race weakness.

 if (!IsValid()) return false;
if (newowner == invalid || newowner == OwnerID()              // because there's nothing to do
                    || getuid() != 0)  return false;          // Only root can change ownership

return true;
}

bool FileData::CanTHISUserChangeGroup(gid_t newgroup)  // See if the file's group is changeable by US
{
unsigned int invalid = (unsigned int)-1;                      // This is to prevent compiler warnings about -1 in unsigned ints
if (!IsValid()) return false;
if (newgroup == invalid || newgroup == GroupID())    return false;  // because there's nothing to do
if (getuid()!=0 && getuid()!=OwnerID())  return false;        // Only the file-owner or root can change a group

return true;
}

int FileData::DoChmod(mode_t newmode)  // If appropriate, change the file's permissions to newmode
{
if (!IsValid()) return false;
if (!CanTHISUserChmod()) return false;                        // Check we have the requisite authority (we need to own it or be root)

if (newmode == (statstruct->st_mode & 07777)) return 2;       // Check the new mode isn't identical to the current one! If so, return a flag

return (chmod(Filepath.mb_str(wxConvUTF8), newmode) == 0);    // All's well, so do the chmod. Success is flagged by zero return
}

int FileData::DoChangeOwner(uid_t newowner)  // If appropriate, change the file's owner
{
if (newowner == OwnerID())  return 2;                         // Check the new owner isn't identical to the current one! If so, return a flag
if (!CanTHISUserChown(newowner)) return false;                // Check it can be done

unsigned int invalid = (unsigned int)-1;                      // This is to prevent compiler warnings about -1 in unsigned ints
return (lchown(Filepath.mb_str(wxConvUTF8), newowner, invalid) == 0);  // Try to do the chown (actually lchown as this works on links too).  Zero return means success
}

int FileData::DoChangeGroup(gid_t newgroup)  // If appropriate, change the file's group
{
if (newgroup == GroupID())  return 2;                         // Check the new group isn't identical to the current one! If so, return a flag
if (!CanTHISUserChangeGroup(newgroup)) return false;          // First check it can be done

unsigned int invalid = (unsigned int)-1;                      // This is to prevent compiler warnings about -1 in unsigned ints
return (lchown(Filepath.mb_str(wxConvUTF8), invalid, newgroup) == 0);  // Try to do the chown (actually lchown as this works on links too).  Zero return means success
}

wxString FileData::GetParsedSize()  // Returns the size, but in bytes, KB, MB or GB according to magnitude
{
return ParseSize(Size(), false);
}
 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.