As reported here https://lists.freebsd.org/pipermail/freebsd-security/2016-December/009193.html
Found a couple of ecp binaries in /tmp, apparently created concurrent with an 11.0 x86_64 kernel build. Anyone else seen this? Could they be related to a "make buildkernel"? # ls -l /tmp/ecp* -rw-r--r-- 1 root wheel 4229 Dec 27 06:21 ecp.Aak1ruL8 -rw-r--r-- 1 root wheel 2371 Dec 27 06:21 ecp.8Wba0TzO
As reproted by dim@ on IRC,
13:11 @dim in create_file(), if the input isn't ELF, it will create another
temp file, and set the source input to that tempfile
13:12 @dim it saves the file descriptor to that file in efd, but frees the
temp filename, so it's lost and the file can't be deleted
afterwards
13:12 @dim i.e. it's created here:
https://github.com/elftoolchain/elftoolchain/blob/master/elfcopy/main.c#L561
13:13 @dim and on line 581 the filename is lost.
13:13 @dim from then on, it treats it as a regular input file, which isn't
deleted
Addressed in FreeBSD r316284
https://svnweb.freebsd.org/changeset/base/316284