Mitigate Baron SameEdit (CVE-2021-3156) vulnerability

fedora 23
tmpfile weakness #17


Weakness Breakdown


A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:



The highlighted line of code below is the trigger point of this particular Fedora 23 tmpfile weakness.

 // Apply the specified command to the JPEG file.
static void DoCommand(const char * FileName, int ShowIt)
    int a,e;
    char ExecString[PATH_MAX*3];
    char TempName[PATH_MAX+10];
    int TempUsed = FALSE;

    e = 0;

    // Generate an unused temporary file name in the destination directory
    // (a is the number of characters to copy from FileName)
    a = strlen(FileName)-1;
    while(a > 0 && FileName[a-1] != SLASH) a--;
    memcpy(TempName, FileName, a);
    strcpy(TempName+a, "XXXXXX");

    // Note: Compiler will warn about mkstemp.  but I need a filename, not a file.
    // I could just then get the fiel name from what mkstemp made, and pass that
    // to the executable, but that would make for the exact same vulnerability
    // as mktemp - that is, that between getting the random name, and making the file
    // some other program could snatch that exact same name!
    // also, not all pltforms support mkstemp.

    if(!TempName[0]) {
        ErrFatal("Cannot find available temporary file name");

    // Build the exec string.  &i and &o in the exec string get replaced by input and output files.
    for (a=0;;a++){
        if (ApplyCommand[a] == '&'){
            if (ApplyCommand[a+1] == 'i'){
                // Input file.
                e += shellescape(ExecString+e, FileName);
                a += 1;
            if (ApplyCommand[a+1] == 'o'){
                // Needs an output file distinct from the input file.
                e += shellescape(ExecString+e, TempName);
                a += 1;
                TempUsed = TRUE;
        ExecString[e++] = ApplyCommand[a]; 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.