RE: flawfinder output

26 Jul 2004 21:33:50 -0000 

I thumbed thru it, but I did not cross-reference the relevant source.  But
this is my humble opinion (I have been a C++ programmer for some time)
(Note: Milage and warranty may vary, due to driving conditions, etc.  In
other words, this is my opinion, and dont start flamming me on it)...

1. snprintf, _snprintf, vsnprintf - This is the much better big brother of
sprintf.  Although it is possible to break this in some odd conditions, I
beleive it to be safe.
2. strcat - Hmm, this would be better written as strncat, but depending on
the actual source code, it could be perfectly safe.  The issue with all the
non-length functions (sprintf, strcat, strcpy vs snprintf, strncat,
strncpy, etc) is that you can get a "Buffer Overrun" which can cause your
code to do odd things.  %99.99997 of the time odd things==GPF/Seg Fault. 
And no biggie, just bad code..  The %0.00003 of the time the code will
execute fine, but in an odd way (Like allow people access in a SUID
program).  
3. exec and friends - Well, this is unavoidable..  "They" suggest that the
code you are exec'ing be a library.  Basically you are just saying "run
program X".  This again can be a "security flaw" in a SUID program, but is
completely fine in this case.  SpamAssassin cannot run other peoples code
(Sophos, etc) as a library very eaisly, and in some cases *DOES* (As in the
case of ClamAV).
4. Rands - Well, this is not a program for generating ciphers, so ignore
them.
5. getopt - Safe for some time, if you are using GCC, or Visual Studio
6. getenv - Again, they are worried about the "user" setting an environment
variable, since anyone can do it.  For example:
   Program.exe (Or whatever) runs a program defined as ENV{'PROG_NAME'} as
root.  Well, joe shmuckatele or joe blow or whoever figures this out and
does: export PROG_NAME="sudo su" and then runs the program, poof he is
root.  But this is not the case again, so dont worry.

Most of the rest of these are equally benign, so don't worry..  We are all
fairly safe.. :-)

Ron

Original Message:
-----------------
From: Daniel Quinlan [EMAIL PROTECTED]
Date: Mon, 26 Jul 2004 13:49:21 -0700
To: [EMAIL PROTECTED]
Subject: flawfinder output


This is interesting.  It needs humans to review it, of course.



--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .

Reply via email to