Mitigate Baron SameEdit (CVE-2021-3156) vulnerability

sles 15.2
tmpfile weakness #43

4

Weakness Breakdown


Definition:

A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:

mariadb-10.4.13/storage/mroonga/vendor/groonga/lib/util.c

Context:

The highlighted line of code below is the trigger point of this particular Sles 15.2 tmpfile weakness.

   path_template_size = strlen(path_template) + 1;
  error = _mktemp_s(path_template, path_template_size);
  if (error != 0) {
    return -1;
  }

  error = _sopen_s(&fd,
                   path_template,
                   _O_RDWR | _O_CREAT | _O_EXCL | _O_BINARY,
                   _SH_DENYNO,
                   _S_IREAD | _S_IWRITE);
  if (error != 0) {
    return -1;
  }

  return fd;
}
#else /* WIN32 */
int
grn_mkstemp(char *path_template)
{
# ifdef HAVE_MKSTEMP
  return mkstemp(path_template);
# else /* HAVE_MKSTEMP */
  mktemp(path_template);
  return open(path_template, O_RDWR | O_CREAT | O_EXCL, S_IRUSR | S_IWUSR);
# endif /* HAVE_MKSTEMP */
}
#endif /* WIN32 */

grn_bool
grn_path_exist(const char *path)
{
  struct stat status;
  return stat(path, &status) == 0;
}

/* todo : refine */
/*
 * grn_tokenize splits a string into at most buf_size tokens and
 * returns the number of tokens. The ending address of each token is
 * written into tokbuf. Delimiters are ' ' and ','.
 * Then, the address to the remaining is set to rest.
 */
int
grn_tokenize(const char *str, size_t str_len,
             const char **tokbuf, int buf_size,
             const char **rest)
{
  const char **tok = tokbuf, **tok_end = tokbuf + buf_size; 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.