alpine 3.6
tmpfile weakness #24

4

Weakness Breakdown


Definition:

A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:

ruby/src/ruby-2.4.6/ext/nkf/nkf-utf8/nkf.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 tmpfile weakness.

 		int fd = 0;
		int fd_backup = 0;
#endif

		/* reopen file for stdout */
		if (file_out_f == TRUE) {
#ifdef OVERWRITE
		    if (overwrite_f){
			outfname = nkf_xmalloc(strlen(origfname)
					  + strlen(".nkftmpXXXXXX")
					  + 1);
			strcpy(outfname, origfname);
#ifdef MSDOS
			{
			    int i;
			    for (i = strlen(outfname); i; --i){
				if (outfname[i - 1] == '/'
				    || outfname[i - 1] == '\\'){
				    break;
				}
			    }
			    outfname[i] = '\0';
			}
			strcat(outfname, "ntXXXXXX");
			mktemp(outfname);
			fd = open(outfname, O_WRONLY | O_CREAT | O_TRUNC | O_EXCL,
				  S_IREAD | S_IWRITE);
#else
			strcat(outfname, ".nkftmpXXXXXX");
			fd = mkstemp(outfname);
#endif
			if (fd < 0
			    || (fd_backup = dup(fileno(stdout))) < 0
			    || dup2(fd, fileno(stdout)) < 0
			   ){
			    perror(origfname);
			    return -1;
			}
		    }else
#endif
		    if(argc == 1) {
			outfname = *argv++;
			argc--;
		    } else {
			outfname = "nkf.out";
		    }

		    if(freopen(outfname, "w", stdout) == NULL) {
			perror (outfname);
			return (-1); 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.