Mitigate Baron SameEdit (CVE-2021-3156) vulnerability

fedora 24
tmpfile weakness #11

4

Weakness Breakdown


Definition:

A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:

netpbm-10.79.00/lib/pmfileio.c

Context:

The highlighted line of code below is the trigger point of this particular Fedora 24 tmpfile weakness.

   This is meant to be equivalent to POSIX mkstemp().

  On some old systems, mktemp() is a security hazard that allows a hacker
  to read or write our temporary file or cause us to read or write some
  unintended file.  On other systems, mkstemp() does not exist.

  A Windows/mingw environment is one which doesn't have mkstemp()
  (2006.06.15).

  We assume that if a system doesn't have mkstemp() that its mktemp()
  is safe, or that the total situation is such that the problems of
  mktemp() are not a problem for the user.
-----------------------------------------------------------------------------*/
    int retval;
    int fd;
    unsigned int attempts;
    bool gotFile;
    bool error;

    for (attempts = 0, gotFile = FALSE, error = FALSE;
         !gotFile && !error && attempts < 100;
         ++attempts) {

        char * rc;
        rc = mktemp(filenameBuffer);

        if (rc == NULL)
            error = TRUE;
        else {
            int rc;

            rc = open(filenameBuffer, tempFileOpenFlags(),
                      PM_S_IWUSR | PM_S_IRUSR);

            if (rc >= 0) {
                fd = rc;
                gotFile = TRUE;
            } else {
                if (errno == EEXIST) {
                    /* We'll just have to keep trying */
                } else 
                    error = TRUE;
            }
        }
    }    
    if (gotFile)
        retval = fd;
    else
        retval = -1;
 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.