alpine 3.6
tmpfile weakness #83

4

Weakness Breakdown


Definition:

A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:

gnats/src/gnats-4.2.0/gnats/misc.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 tmpfile weakness.

       return chmod (dpath, dmode);
    }
}
#endif /* HAVE_MKDIR */

/* Return open file descriptor of the file specified by 'template' suitable to
   'mktemp'.  The file is open for reading and writing.
   If the stream can't be opened, a negative value is returned. */
int open_temporary_file (char *template, int mode)
{
  int fd = -1;
#ifndef HAVE_MKSTEMP
  const int NUMBER_OF_TRIALS = 3;
#endif
  
#ifdef HAVE_MKSTEMP
  fd = mkstemp (template);
  chmod (template, mode);
#else
  {
    int i;
    for (i = 0; i < NUMBER_OF_TRIALS && fd < 0; i++)
      {   
#ifdef HAVE_MKTEMP
	mktemp (template);
#else
	mkstemps (template, 0);
#endif
	fd = open (template, O_RDWR | O_CREAT | O_EXCL, mode);
      }
  }
#endif
  return fd;
}

/* Return the name of the directory to use for general temporary files. */
const char *
temporary_directory (void)
{
#ifdef P_tmpdir
  return P_tmpdir;
#else
  char *tmpdir = getenv ("TMPDIR");
  if (tmpdir == NULL)
    {
      tmpdir = "/tmp";
    }
  return tmpdir;
#endif
} 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.