Mitigate Baron SameEdit (CVE-2021-3156) vulnerability

fedora 23
tmpfile weakness #1


Weakness Breakdown


A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:



The highlighted line of code below is the trigger point of this particular Fedora 23 tmpfile weakness.

         /* First, get a temp filename */
        const char *str = getenv("TEMP");
        if(!str || !str[0]) str = getenv("TMP");
#ifdef _WIN32
        if(!str || !str[0]) str = ".";
        if(!str || !str[0]) str = "/tmp";
        std::string fname = str;
        fname += "/alure-sfont-XXXXXX";

        for(size_t i = 0;i < fname.size();i++)
            if(fname[i] == '\\')
                fname[i] = '/';

        std::vector<char> tmpfname(fname.begin(), fname.end());

        /* Open a temp file */
        int fd = -1;
        FILE *file;
#ifdef _WIN32
        if(mktemp(&tmpfname[0]) == NULL || (file=fopen(&tmpfname[0], "wb")) == NULL)
        if((fd=mkstemp(&tmpfname[0])) == -1 || (file=fdopen(fd, "wb")) == NULL)
            if(fd >= 0)
            SetError("Failed to create temp file");
            return false;

        bool copyok = false;
        char buf[4096];
        size_t got;
        do {
  , sizeof(buf));
            if((got=istream.gcount()) == 0)
                copyok = true;
        } while(fwrite(buf, 1, got, file) == got);

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.