fedora 23
tmpfile weakness #5


Weakness Breakdown


A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:



The highlighted line of code below is the trigger point of this particular Fedora 23 tmpfile weakness.

int DXfetch_and_add(int *p, int value, lock_type *l, int who)
    int old_value;

    DXlock(l, who);
    old_value = *p;
    *p += value;
    DXunlock(l, who);

    return old_value;

#else /* !NEWLOCKS */

#include <ulocks.h>

static usptr_t *usptr = NULL;
#define L (*(ulock_t*)l)

int _dxf_initlocks(void)
    static int been_here = 0;
    static char tmp[] = "/tmp/loXXXXXX";
    char *mktemp();

    if (!been_here) {
	been_here = 1;
	usconfig(CONF_INITUSERS, 64);
	usptr = usinit(tmp);
	if (!usptr)
	    DXErrorReturn(ERROR_NO_MEMORY, "Can't create us block for locks");
    return OK;

int DXcreate_lock(lock_type *l, char *name)
    static int been_here = 0;

    if (!been_here) {
	been_here = 1;
	if (!_dxf_initlocks())
	    return NULL;

    L = usnewlock(usptr); 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.