fedora 23
tmpfile weakness #1

4

Weakness Breakdown


Definition:

A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:

alure-1.2/src/codec_fluidsynth.cpp

Context:

The highlighted line of code below is the trigger point of this particular Fedora 23 tmpfile weakness.

         /* First, get a temp filename */
        const char *str = getenv("TEMP");
        if(!str || !str[0]) str = getenv("TMP");
#ifdef _WIN32
        if(!str || !str[0]) str = ".";
#else
        if(!str || !str[0]) str = "/tmp";
#endif
        std::string fname = str;
        fname += "/alure-sfont-XXXXXX";

        for(size_t i = 0;i < fname.size();i++)
        {
            if(fname[i] == '\\')
                fname[i] = '/';
        }

        std::vector<char> tmpfname(fname.begin(), fname.end());
        tmpfname.push_back(0);

        /* Open a temp file */
        int fd = -1;
        FILE *file;
#ifdef _WIN32
        if(mktemp(&tmpfname[0]) == NULL || (file=fopen(&tmpfname[0], "wb")) == NULL)
#else
        if((fd=mkstemp(&tmpfname[0])) == -1 || (file=fdopen(fd, "wb")) == NULL)
#endif
        {
            if(fd >= 0)
            {
                close(fd);
                remove(&tmpfname[0]);
            }
            SetError("Failed to create temp file");
            return false;
        }

        bool copyok = false;
        char buf[4096];
        size_t got;
        do {
            istream.read(buf, sizeof(buf));
            if((got=istream.gcount()) == 0)
            {
                copyok = true;
                break;
            }
        } while(fwrite(buf, 1, got, file) == got);
 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.