alpine 3.6
tmpfile weakness #65

4

Weakness Breakdown


Definition:

A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:

xrdb/src/xrdb-1.1.0/xrdb.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 tmpfile weakness.

 		fatal("%s: can't rename file '%s' to '%s'\n", ProgramName,
		      template, editFile);
	}
    } else {
	const char *cpp_addflags = "";

	if (oper == OPMERGE || oper == OPOVERRIDE)
	    GetEntriesString(&newDB, xdefs);

	/* Add -P flag only if using cpp, not another preprocessor */
	if (cpp_program) {
	    const char *cp = strstr(cpp_program, "cpp");

	    if (cp && ((cp[3] == '\0') || cp[3] == ' '))
		cpp_addflags = "-P";
	}
#ifdef PATHETICCPP
	if (need_real_defines) {
#ifdef WIN32
	    if (!(input = fopen(tmpname2, "w")))
		fatal("%s: can't open file '%s'\n", ProgramName, tmpname2);
	    fputs(defines.val, input);
	    fprintf(input, "\n#include \"%s\"\n", filename);
	    fclose(input);
	    (void) mktemp(tmpname3);
	    if (asprintf(&cmd, "%s %s %s %s > %s", cpp_program, cpp_addflags,
			 includes.val, tmpname2, tmpname3) == -1)
		fatal("%s: Out of memory\n", ProgramName);
	    if (system(cmd) < 0)
		fatal("%s: cannot run '%s'\n", ProgramName, cmd);
	    free(cmd);
	    if (!(input = fopen(tmpname3, "r")))
		fatal("%s: can't open file '%s'\n", ProgramName, tmpname3);
#else
	    if (!freopen(tmpname2, "w+", stdin))
		fatal("%s: can't open file '%s'\n", ProgramName, tmpname2);
	    fputs(defines.val, stdin);
	    fprintf(stdin, "\n#include \"%s\"\n", filename);
	    fflush(stdin);
	    fseek(stdin, 0, 0);
	    if (asprintf(&cmd, "%s %s %s", cpp_program, cpp_addflags,
			 includes.val) == -1)
		fatal("%s: Out of memory\n", ProgramName);
	    if (!(input = popen(cmd, "r")))
		fatal("%s: cannot run '%s'\n", ProgramName, cmd);
	    free(cmd);
#endif
	} else {
#endif
	if (filename) { 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.