flawfinder warnings in mozilla/security

RESOLVED INVALID

Status

NSS
Libraries
RESOLVED INVALID
16 years ago
16 years ago

People

(Reporter: Heikki Toivonen (remove -bugzilla when emailing directly), Assigned: Wan-Teh Chang)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(1 attachment)

I run flawfinder (http://www.dwheeler.com/flawfinder) on Mozilla 1.0.1 branch.

flawfinder found 502 warnings in mozilla/security (359-860). Go through that
list and for each warning:

* If it is false positive, comment here why it is not an issue
* If it is a real issue, make patch for it here and let's get them checked in

In addition the checking the branch, also check the trunk.

I will attach an excerpt of the log since the full log is so big and inside NS
firewall.

Updated

16 years ago
Blocks: 148251
This one is particularly worrisome - looks like a strcpy into a stack-allocated
buffer:
security/manager/ssl/src/nsPKCS12Blob.cpp:222
211   char namecpy[256];
...
222     strcpy(namecpy, NS_ConvertUCS2toUTF8(certNames[i]));

I filed bug 152941 on the warning mentioned in comment 2 above.
(Assignee)

Comment 4

16 years ago
I reviewed all of the warnings on the NSS code used by
the Mozilla client.  I found one problem of copying from
a character string buffer that's not null-terminated
(bug 153245).

I did not review the warnings on the NSS code not used
by the Mozilla client, such as the command-line tools,
Fortezza libraries, and test programs.

The use of gets in certutil is a known bug (53229).
Status: NEW → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → FIXED
Group: security?

Comment 5

16 years ago
16 more flawfinder warnings

3929) security/nss/cmd/certutil/certutil.c:122 [5] (buffer) gets: does not check
for buffer overflows. Use fgets() instead.

3930) security/nss/cmd/certutil/certutil.c:195 [5] (buffer) gets: does not check
for buffer overflows. Use fgets() instead.

3931) security/nss/cmd/certutil/certutil.c:1512 [5] (buffer) gets: does not
check for buffer overflows. Use fgets() instead.

3932) security/nss/cmd/certutil/certutil.c:1527 [5] (buffer) gets: does not
check for buffer overflows. Use fgets() instead.

3933) security/nss/cmd/certutil/certutil.c:1654 [5] (buffer) gets: does not
check for buffer overflows. Use fgets() instead.

3934) security/nss/cmd/certutil/certutil.c:1693 [5] (buffer) gets: does not
check for buffer overflows. Use fgets() instead.

3935) security/nss/cmd/certutil/certutil.c:1722 [5] (buffer) gets: does not
check for buffer overflows. Use fgets() instead.

3936) security/nss/cmd/certutil/certutil.c:1733 [5] (buffer) gets: does not
check for buffer overflows. Use fgets() instead.

3937) security/nss/cmd/certutil/certutil.c:1784 [5] (buffer) gets: does not
check for buffer overflows. Use fgets() instead.

3938) security/nss/cmd/certutil/certutil.c:1789 [5] (buffer) gets: does not
check for buffer overflows. Use fgets() instead.

3939) security/nss/cmd/certutil/certutil.c:1799 [5] (buffer) gets: does not
check for buffer overflows. Use fgets() instead.

3940) security/nss/cmd/certutil/certutil.c:1930 [5] (buffer) gets: does not
check for buffer overflows. Use fgets() instead.


3941) security/nss/cmd/certutil/certutil.c:1985 [5] (buffer) gets: does not
check for buffer overflows. Use fgets() instead.

3942) security/nss/cmd/certutil/certutil.c:2053 [5] (buffer) gets: does not
check for buffer overflows. Use fgets() instead.

3943) security/nss/cmd/modutil/install.c:698 [5] (race) chmod: this accepts
filename arguments; if an attacker can move those files, a race condition
results. . Use fchmod( ) instead.

3944) security/nss/lib/jar/jarfile.c:257 [5] (race) chmod: this accepts filename
arguments; if an attacker can move those files, a race condition results. . Use
fchmod( ) instead.

Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Duplicate warnings, closing again.
Status: REOPENED → RESOLVED
Last Resolved: 16 years ago16 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.