alpine 3.6
tmpfile weakness #75

4

Weakness Breakdown


Definition:

A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:

zsh/src/zsh-5.3.1/Src/utils.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 tmpfile weakness.

 /* Get a unique filename for use as a temporary file.  If "prefix" is
 * NULL, the name is relative to $ TMPPREFIX; If it is non-NULL, the
 * unique suffix includes a prefixed '.' for improved readability.  If
 * "use_heap" is true, we allocate the returned name on the heap.
 * The string passed as "prefix" is expected to be metafied. */

/**/
mod_export char *
gettempname(const char *prefix, int use_heap)
{
    char *ret, *suffix = prefix ? ".XXXXXX" : "XXXXXX";

    queue_signals();
    if (!prefix && !(prefix = getsparam("TMPPREFIX")))
	prefix = DEFAULT_TMPPREFIX;
    if (use_heap)
	ret = dyncat(unmeta(prefix), suffix);
    else
	ret = bicat(unmeta(prefix), suffix);

#ifdef HAVE__MKTEMP
    /* Zsh uses mktemp() safely, so silence the warnings */
    ret = (char *) _mktemp(ret);
#else
    ret = (char *) mktemp(ret);
#endif
    unqueue_signals();

    return ret;
}

/* The gettempfile() "prefix" is expected to be metafied, see hist.c
 * and gettempname(). */

/**/
mod_export int
gettempfile(const char *prefix, int use_heap, char **tempname)
{
    char *fn;
    int fd;
#if HAVE_MKSTEMP
    char *suffix = prefix ? ".XXXXXX" : "XXXXXX";

    queue_signals();
    if (!prefix && !(prefix = getsparam("TMPPREFIX")))
	prefix = DEFAULT_TMPPREFIX;
    if (use_heap)
	fn = dyncat(unmeta(prefix), suffix);
    else
	fn = bicat(unmeta(prefix), suffix); 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.