fedora 23
tmpfile weakness #3

4

Weakness Breakdown


Definition:

A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:

CBFlib-0.9.5.14/examples/cbf2nexus.c

Context:

The highlighted line of code below is the trigger point of this particular Fedora 23 tmpfile weakness.

 #ifndef NO_UINT64_TYPE
            h5out->double_ulp = 4;
#endif
#endif
		}
        
        imageno = 0;
        imageinblock = 0;
        blockno = 1;
        
        for (f = 0; CBF_SUCCESS == error && f != cifid; ++f) {
			cbf_handle cif = NULL;
#ifdef NOTMPDIR
			char ciftmp[] = "cif2cbfXXXXXX";
#else
			char ciftmp[] = "/tmp/cif2cbfXXXXXX";
    		int ciftmpfd;
#endif
			/* Get suitable file - reading from stdin to a temporary file if needed */
			if (!(cifin[f]) || strcmp(cifin[f]?cifin[f]:"","-") == 0) {
				FILE *file = NULL;
				int nbytes;
				char buf[C2CBUFSIZ];
#ifdef NOMKSTEMP
				if (mktemp(ciftmp) == NULL ) {
                    fprintf(stderr,"%s: Can't create temporary file name %s.\n%s\n", argv[0], ciftmp,strerror(errno));
					error |= CBF_FILEOPEN;
				} else if ((file = fopen(ciftmp,"wb+")) == NULL) {
                    fprintf(stderr,"Can't open temporary file %s.\n%s\n", ciftmp,strerror(errno));
					error |= CBF_FILEOPEN;
                }
#else
                if ((ciftmpfd = mkstemp(ciftmp)) == -1 ) {
                    fprintf(stderr,"%s: Can't create temporary file %s.\n%s\n", argv[0], ciftmp,strerror(errno));
					error |= CBF_FILEOPEN;
				} else if ((file = fdopen(ciftmpfd, "w+")) == NULL) {
                    fprintf(stderr,"Can't open temporary file %s.\n%s\n", ciftmp,strerror(errno));
					error |= CBF_FILEOPEN;
                }
#endif
                while ((nbytes = fread(buf, 1, C2CBUFSIZ, stdin))) {
                    if((size_t)nbytes != fwrite(buf, 1, nbytes, file)) {
                        fprintf(stderr,"Failed to write %s.\n", ciftmp);
						error |= CBF_FILEWRITE;
						break;
                    }
                }
                fclose(file);
                cifin[f] = ciftmp;
            } 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.