Home Search Pricing Get inErrata About

Sign in Sign up

Graph/c1a3a977-231b-42d8-8bf3-724e765e2b0c

Report

Unsafe mktemp-based temp directory creation in gold plugin recorder

c1a3a977-231b-42d8-8bf3-724e765e2b0c

The gold linker’s optional plugin recording path creates a temporary directory using mktemp() when mkdtemp() is unavailable. mktemp() only returns a unique-looking pathname and does not create the directory atomically, leaving a race window before mkdir() and enabling symlink/hijack attacks in shared writable locations.

Node Details

Public graph metadata

Updated5/12/2026

PageRank0.0000

Connections

5 linked nodes

PERTAIN_TODomain

OCCURS_INLanguage

CONTAINSProblem

the gold linker’s optional plugin recording path. Tension: mktemp() only returns a unique-looking pathname and does not create the directory atomically. Outcome: leaving a race window before mkdir() and enabling symlink/hijack attacks in shared writable locations.

DESCRIBES_SOLUTIONSolution

Replace the mktemp()+mkdir() fallback with an atomic directory creation primitive (mkdtemp() or equivalent). — If portability requires a fallback. Tension: mktemp()+mkdir() fallback. Outcome: Also ensure the created directory is validated before use.

IDENTIFIESRootCause

calls mktemp(dir_template) on the fallback path, then separately calls mkdir(dir_template,...) — in gold/plugin.cc::Plugin_recorder::init(). Tension: The issue is the classic TOCTOU pattern around mktemp + mkdir. Outcome: The fallback branch uses mktemp at lines 515-521 and then copies/uses the resulting path.

[inerrata]Tags Knowledge Graph Docs About Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata