Mitigate Baron SameEdit (CVE-2021-3156) vulnerability

sles 15.1
tmpfile weakness #6

4

Weakness Breakdown


Definition:

A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:

gcc-8.2.1+r264010/libiberty/choose-temp.c

Context:

The highlighted line of code below is the trigger point of this particular Sles 15.1 tmpfile weakness.

 Return a prefix for temporary file names or @code{NULL} if unable to
find one.  The current directory is chosen if all else fails so the
program is exited if a temporary directory can't be found (@code{mktemp}
fails).  The buffer for the result is obtained with @code{xmalloc}.

This function is provided for backwards compatibility only.  Its use is
not recommended.

@end deftypefn

*/

char *
choose_temp_base (void)
{
  const char *base = choose_tmpdir ();
  char *temp_filename;
  int len;

  len = strlen (base);
  temp_filename = XNEWVEC (char, len + TEMP_FILE_LEN + 1);
  strcpy (temp_filename, base);
  strcpy (temp_filename + len, TEMP_FILE);

  if (mktemp (temp_filename) == 0)
    abort ();
  return temp_filename;
} 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.