alpine 3.6
tmpfile weakness #35

4

Weakness Breakdown


Definition:

A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:

lynx/src/lynx2-8-8/src/Xsystem.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 tmpfile weakness.

 		return spawnl(flag, p->cmd, p->cmd, p->arg, (char *) 0);
	    }
	    return -1;
	} else {
	    return try3(p->cmd, p, flag);
	}
    }
}

static char *NEAR tmpf(char *tp)
{
    char tplate[STR_MAX];
    char *ev;
    int i;

    if ((ev = LYGetEnv("TMP")) != 0) {
	LYStrNCpy(tplate, ev, sizeof(tplate) - 2 - strlen(tp));
	i = strlen(ev);
	if (i && ev[i - 1] != '\\' && ev[i - 1] != '/')
	    strcat(tplate, "\\");
    } else {
	tplate[0] = 0;
    }
    strcat(tplate, tp);
    return strdup(mktemp(tplate));
}

static int NEAR redopen(char *fn, int md, int sfd)
{
    int rc;
    int fd;

    if ((fd = open(fn, md, 0666)) != -1) {
	if (md & O_APPEND)
	    lseek(fd, 0L, SEEK_END);
	rc = dup(sfd);
	if (fd != sfd) {
	    dup2(fd, sfd);
	    close(fd);
	}
	return rc;
    }
    return -1;
}

static int NEAR redclose(int fd, int sfd)
{
    if (fd != -1) {
	dup2(fd, sfd);
	close(fd); 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.