alpine 3.6
tmpfile weakness #91

4

Weakness Breakdown


Definition:

A temporary file weakness occurs when a temporary file that is created and used by a high-privilege process is accidentally shared with a low-privilege process, on account of it being temporary and generated after all security controls have been applied. This allows the low-privilege process to read data from the high-privilege process (information leakage), or worse, influence the high-privilege process by modifying the shared temporary file.

Warning code(s):

Temporary file race condition.

File Name:

lynx/src/lynx2-8-8/src/LYUtils.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 tmpfile weakness.

 #endif

/*
 * Check if the given anchor has an associated file-cache.
 */
BOOLEAN LYCachedTemp(char *target,
		     char **cached)
{
    BOOLEAN result = FALSE;

    if (*cached) {
	LYStrNCpy(target, *cached, LY_MAXPATH);
	FREE(*cached);
	if (LYCanReadFile(target)) {
	    if (remove(target) != 0) {
		CTRACE((tfp, "cannot remove %s\n", target));
	    }
	}
	result = TRUE;
    }
    return result;
}

#ifndef HAVE_MKDTEMP
#define mkdtemp(path) ((mktemp(path) != 0) && (mkdir(path, 0700) == 0))
#endif

/*
 * Open a temp-file, ensuring that it is unique, and not readable by other
 * users.
 *
 * The mode can be one of: "w", "a", "wb".
 */
FILE *LYOpenTemp(char *result,
		 const char *suffix,
		 const char *mode)
{
    FILE *fp = 0;
    BOOL txt = TRUE;
    char wrt = 'r';
    LY_TEMP *p;

    CTRACE((tfp, "LYOpenTemp(,%s,%s)\n", suffix, mode));
    if (result == 0)
	return 0;

    while (*mode != '\0') {
	switch (*mode++) {
	case 'w':
	    wrt = 'w'; 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.