My company used Fortify 360. I didn't actually do the work, I'm just reporting the findings.
FYI- I've logged an issue in tracker on this subject: 2822600 http://sourceforge.net/tracker/?func=detail&aid=2822600&group_id=105970&atid=642714 I'm not a C++ expert so I'm basically trying to find out if the tool is reporting anything valid or if it's a false alarm to be ignored and if the code in question actually gets deployed with the MSI or not. I'll then take this information back to others who will vet the tool into our product line. I work for a large defense industry contractor so they take these kinds of things very seriously. Thanks, Chris Christopher Painter, Author of Deployment Engineering Blog Have a hot tip, know a secret or read a really good thread that deserves attention? E-Mail Me --- On Thu, 7/16/09, Neil Sleightholm <n...@x2systems.com> wrote: > From: Neil Sleightholm <n...@x2systems.com> > Subject: Re: [WiX-users] Fortify 360 Security Scan > To: "General discussion for Windows Installer XML toolset." > <wix-users@lists.sourceforge.net> > Date: Thursday, July 16, 2009, 3:57 PM > Chris, do you mind me asking which > tool you used to find this. I have > been asked to validate WiX for a large company and this is > the sort of > thing that would look good in my report. > > Neil > > -----Original Message----- > From: Christopher Painter [mailto:chr...@deploymentengineering.com] > > Sent: 16 July 2009 17:12 > To: wix-users@lists.sourceforge.net > Subject: [WiX-users] Fortify 360 Security Scan > > > We ran WiX v3.0 GA through a security auditing tool and it > reported > several issues: > > cabcutil.cpp:531 ( Buffer Overflow ) > cabcutil.cpp:577 ( Buffer Overflow ) > strutil.cpp:1174 ( Buffer Overflow ) > strutil.cpp:337 ( Buffer Overflow ) > xmlutil.cpp:650 ( Buffer Overflow: Off-by-One) > > I've been asked to pass this to the WiX team for review in > terms of > remediation and to ask are any of these files used in > CustomActions or > are they strictly design/build time > files? > > Thanks, > Chris > > > Details follow: > > > cabcutil.cpp:531 ( Buffer Overflow ) > > Abstract: The function AddNDuplicateFile() in cabcutil.cpp > writes > outside the bounds of pv on like 531, which could corrupt > data, cause > the program to crash, or lead to the execution of malicious > code. > > cabcutil.cpp:577 ( Buffer Overflow ) > > Abstract: The function AddNonDuplicateFile() in > cabcutil.cpp writes > outside the bounds of pv on like 577, which could corrupt > data, cause > the program to crash, or lead to the execution of malicious > code. > > strutil.cpp:1174 ( Buffer Overflow ) > > Abstract: The function MultiSzPrepend()() in strutil.cppp > writes > outside the bounds of pwzResult on like 1174, which could > corrupt data, > cause the program to crash, or lead to the execution of > malicious code. > > strutil.cpp:337 ( Buffer Overflow ) > > Abstract: The function StrAllocPrefix()() in strutil.cppp > writes > outside the bounds of pwzResult on like 337, which could > corrupt data, > cause the program to crash, or lead to the execution of > malicious code. > > xmlutil.cpp:650 ( Buffer Overflow: Off-by-One) > > Abstract: The program writes just past the bounds of > allocated memory, > which could corrupt data, crash the program, or lead to the > execution of > malicious code. > > General Reccomendations From Tool: > > Never use inherently unsafe functions, such as gets(), and > avoid the use > of functions that are difficult to use safely such as > strcpy(). Replace > unbounded functions like strcpy() with their bound > equivalents, such as > strncpy() or the WinAPI functions defined in strsafe.h > [4]. ( More > available from tool ) > > > > > > ------------------------------------------------------------------------ > ------ > Enter the BlackBerry Developer Challenge > This is your chance to win up to $100,000 in prizes! For a > limited time, > > vendors submitting new applications to BlackBerry App > World(TM) will > have > the opportunity to enter the BlackBerry Developer > Challenge. See full > prize > details at: http://p.sf.net/sfu/Challenge > _______________________________________________ > WiX-users mailing list > WiX-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/wix-users > > ------------------------------------------------------------------------------ > Enter the BlackBerry Developer Challenge > This is your chance to win up to $100,000 in prizes! For a > limited time, > vendors submitting new applications to BlackBerry App > World(TM) will have > the opportunity to enter the BlackBerry Developer > Challenge. See full prize > details at: http://p.sf.net/sfu/Challenge > _______________________________________________ > WiX-users mailing list > WiX-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/wix-users > ------------------------------------------------------------------------------ Enter the BlackBerry Developer Challenge This is your chance to win up to $100,000 in prizes! For a limited time, vendors submitting new applications to BlackBerry App World(TM) will have the opportunity to enter the BlackBerry Developer Challenge. See full prize details at: http://p.sf.net/sfu/Challenge _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
