Mitigate Baron SameEdit (CVE-2021-3156) vulnerability

fedora 23
tmpfile weakness #2

4

Weakness Breakdown


Definition:

A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:

berusky-1.7.1/src/profile.cpp

Context:

The highlighted line of code below is the trigger point of this particular Fedora 23 tmpfile weakness.

   level_set[4].level_selected = level_set[4].level_last = ini_read_int_file(tmp, PROFILE_LAST_IMPOSSIBLE, 0);
  level_set[5].level_selected = level_set[5].level_last = ini_read_int_file(tmp, PROFILE_LAST_USER, 0);
}

void berusky_profile::save(void)
{ 
  char buffer[1024];
  snprintf(buffer, 1024,
           "name = %s\nl0 = %d\nl1 = %d\nl2 = %d\nl3 = %d\nl4 = %d\nl5 = %d\n",
           profile_name,
           level_set[0].level_last,
           level_set[1].level_last,
           level_set[2].level_last,
           level_set[3].level_last,
           level_set[4].level_last,
           level_set[5].level_last);
  file_save(INI_USER_PROFILES, filename, (void *)buffer, strlen(buffer), "w");
}

void berusky_profile::create(const char *p_name)
{
  memset(this,0,sizeof(*this));
  strcpy(profile_name, p_name);
  strcpy(filename,"profileXXXXXX");
  mktemp(filename);
  strcat(filename,".ini");
}

// Scan the directory for all profile files
bool profiles_load(BERUSKY_PROFILE **p_profiles, int *p_num)
{
  #define PROFILE_FILE_MASK "*.ini"
  DIRECTORY_ENTRY *p_profile_names;

  *p_profiles = NULL;
  *p_num = 0;

  int files = file_list_get(INI_USER_PROFILES, PROFILE_FILE_MASK, &p_profile_names);
  if(!files)
    return(FALSE);

  BERUSKY_PROFILE *p_list = new BERUSKY_PROFILE[files];
  for(int i = 0; i < files; i++) {
    p_list[i].load(INI_USER_PROFILES, p_profile_names[i].name);
  }
  ffree(p_profile_names);
  
  *p_profiles = p_list;
  *p_num = files;
 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.