alpine 3.6
tmpfile weakness #77

4

Weakness Breakdown


Definition:

A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:

xdm/src/xdm-1.1.11/xdm/auth.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 tmpfile weakness.

 		      authDir, authdir1, authdir2);
	    r = CheckServerAuthDir(d->authFile, &statb, 0700);
	    if (r < 0) {
		free (d->authFile);
		d->authFile = NULL;
		return FALSE;
	    }
	    snprintf (d->authFile, len, "%s/%s/%s/A%s-XXXXXX",
		      authDir, authdir1, authdir2, cleanname);
#ifdef HAVE_MKSTEMP
	    fd = mkstemp (d->authFile);
	    if (fd < 0) {
		LogError ("cannot make authentication file %s: %s\n",
			  d->authFile, _SysErrorMsg (errno));
		free (d->authFile);
		d->authFile = NULL;
		return FALSE;
	    }

	    *file = fdopen(fd, "w");
	    if (!*file)
		(void) close (fd);
	    return TRUE;
#else
	    (void) mktemp (d->authFile);
#endif
	}
    }

    (void) unlink (d->authFile);
    *file = fopen (d->authFile, "w");
    return TRUE;
}

int
SaveServerAuthorizations (
    struct display  *d,
    Xauth	    **auths,
    int		    count)
{
    FILE	*auth_file;
    mode_t	mask;
    int		ret;
    int		i;
    const char	dummy_auth[] = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
		               "XXXXXXXXXXXXXXXXX"; /* 64 "X"s */
    int		err = 0;

    mask = umask (0077);
    ret = MakeServerAuthFile(d, &auth_file); 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.