alpine 3.6
tmpfile weakness #48

4

Weakness Breakdown


Definition:

A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:

xrdb/src/xrdb-1.1.0/xrdb.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 tmpfile weakness.

 	    if (!(input = fopen(tmpname3, "r")))
		fatal("%s: can't open file '%s'\n", ProgramName, tmpname3);
#else
	    if (!freopen(tmpname2, "w+", stdin))
		fatal("%s: can't open file '%s'\n", ProgramName, tmpname2);
	    fputs(defines.val, stdin);
	    fprintf(stdin, "\n#include \"%s\"\n", filename);
	    fflush(stdin);
	    fseek(stdin, 0, 0);
	    if (asprintf(&cmd, "%s %s %s", cpp_program, cpp_addflags,
			 includes.val) == -1)
		fatal("%s: Out of memory\n", ProgramName);
	    if (!(input = popen(cmd, "r")))
		fatal("%s: cannot run '%s'\n", ProgramName, cmd);
	    free(cmd);
#endif
	} else {
#endif
	if (filename) {
	    if (!freopen (filename, "r", stdin))
		fatal("%s: can't open file '%s'\n", ProgramName, filename);
	}
	if (cpp_program) {
#ifdef WIN32
	    (void) mktemp(tmpname3);
	    if (asprintf(&cmd, "%s %s %s %s %s > %s", cpp_program,
			 cpp_addflags, includes.val, defines.val,
			 filename ? filename : "", tmpname3) == -1)
		fatal("%s: Out of memory\n", ProgramName);
	    if (system(cmd) < 0)
		fatal("%s: cannot run '%s'\n", ProgramName, cmd);
	    free(cmd);
	    if (!(input = fopen(tmpname3, "r")))
		fatal("%s: can't open file '%s'\n", ProgramName, tmpname3);
#else
	    if (asprintf(&cmd, "%s %s %s %s %s", cpp_program,
			 cpp_addflags, includes.val, defines.val,
			 filename ? filename : "") == -1)
		fatal("%s: Out of memory\n", ProgramName);
	    if (!(input = popen(cmd, "r")))
		fatal("%s: cannot run '%s'\n", ProgramName, cmd);
	    free(cmd);
#endif
	} else {
	    input = stdin;
	}
#ifdef PATHETICCPP
	}
#endif
	ReadFile(&buffer, input); 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.