fedora 24
tmpfile weakness #1


Weakness Breakdown


A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:



The highlighted line of code below is the trigger point of this particular Fedora 24 tmpfile weakness.


	if (px->timeout) {

	if (px->fd >= 0) {

static void prplcb_xfer_new(PurpleXfer *xfer)

	if (purple_xfer_get_type(xfer) == PURPLE_XFER_RECEIVE) {
		struct prpl_xfer_data *px = g_new0(struct prpl_xfer_data, 1);
		struct purple_data *pd;

		xfer->ui_data = px;
		px->xfer = xfer;
		px->fn = mktemp(g_strdup("/tmp/bitlbee-purple-ft.XXXXXX"));
		px->fd = -1;
		px->ic = purple_ic_by_pa(xfer->account);

		pd = px->ic->proto_data;
		pd->filetransfers = g_slist_prepend(pd->filetransfers, px);

		purple_xfer_set_local_filename(xfer, px->fn);

		/* Sadly the xfer struct is still empty ATM so come back after
		   the caller is done. */
		b_timeout_add(0, prplcb_xfer_new_send_cb, xfer);
	} else {
		struct file_transfer *ft = next_ft;
		struct prpl_xfer_data *px = ft->data;

		xfer->ui_data = px;
		px->xfer = xfer;

		next_ft = NULL;

static gboolean prplcb_xfer_new_send_cb(gpointer data, gint fd, b_input_condition cond)
	PurpleXfer *xfer = data; 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.