fedora 23
tmpfile weakness #4


Weakness Breakdown


A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:



The highlighted line of code below is the trigger point of this particular Fedora 23 tmpfile weakness.

 extern void srandom(unsigned int seed) __THROW __attribute_dontuse__;

typedef unsigned short randbuf[3];
double drand48(void) __THROW;
long lrand48(void) __THROW;
long mrand48(void) __THROW;
void srand48(long seed) __THROW;
unsigned short *seed48(randbuf buf) __THROW;
void lcong48(unsigned short param[7]) __THROW;
long jrand48(randbuf buf) __THROW;
long nrand48(randbuf buf) __THROW;
double erand48(randbuf buf) __THROW;

void qsort(void *base, size_t nmemb, size_t size, int (*compar)(const void *, const void *));
void *bsearch(const void *key, const void *base, size_t nmemb, size_t size, int (*compar)(const void *, const void *));

extern char **environ;

char *realpath(const char *path, char *resolved_path) __THROW;

int mkstemp(char *_template);
char* mkdtemp(char *_template);

char* mktemp(char *_template);

int abs(int i) __THROW __attribute__((__const__));
long int labs(long int i) __THROW __attribute__((__const__));
__extension__ long long int llabs(long long int i) __THROW __attribute__((__const__));

int grantpt (int fd) __THROW;
int unlockpt (int fd) __THROW;
char *ptsname (int fd) __THROW;


#define EXIT_FAILURE 1
#define EXIT_SUCCESS 0

#define RAND_MAX 	0x7ffffffe

#define MB_CUR_MAX 5

/* now these functions are the greatest bullshit I have ever seen.
 * The ISO people must be out of their minds. */

typedef struct { int quot,rem; } div_t;
typedef struct { long quot,rem; } ldiv_t; 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.