Closed Bug 173428 Opened 22 years ago Closed 18 years ago

flawfinder warnings in libjar

Categories

(Core :: Networking: JAR, defect)

Product:
Core
Component:
Networking: JAR
Version:
1.0 Branch
Platform:
x86
Windows NT
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: morse, Assigned: dveditz)

References

Details

I run flawfinder (http://www.dwheeler.com/flawfinder) on Mozilla 1.0.1 branch.

flawfinder found 6 warnings in libjar code (1105-1110). Go through
that list and for each warning:

* If it is false positive, comment here why it is not an issue
* If it is a real issue, make patch for it here and let's get them checked in

In addition to checking the branch, also check the trunk.

1105) modules/libjar/nsJAR.cpp:287 [5] (race) chmod: this accepts filename 
arguments; if an attacker can move those files, a race condition results. . Use 
fchmod( ) instead.

1106) modules/libjar/nsZipArchive.cpp:676 [5] (race) chmod: this accepts 
filename arguments; if an attacker can move those files, a race condition 
results. . Use fchmod( ) instead.

1107) modules/libjar/nsZipArchive.cpp:1779 [2] (buffer) sprintf: does not check 
for buffer overflows. Use snprintf or vsnprintf. Risk is low because the source 
has a constant maximum length.

1108) modules/libjar/nsZipArchive.cpp:1792 [2] (buffer) sprintf: does not check 
for buffer overflows. Use snprintf or vsnprintf. Risk is low because the source 
has a constant maximum length.

1109) modules/libjar/nsZipArchive.cpp:1825 [4] (buffer) sprintf: does not check 
for buffer overflows. Use snprintf or vsnprintf.

1110) modules/libjar/zipstub.h:41 [4] (buffer) strcpy: does not check for buffer 
overflows. Consider using strncpy or strlcpy.
Blocks: 148251
One more flawfinder warning -- 3921

3921) modules/libjar/nsZipArchive.cpp:676 [5] (race) chmod: this accepts
filename arguments; if an attacker can move those files, a race condition
results. . Use fchmod( ) instead.


1107-1109 are safe because the buffer is big enough.

1110 is safe, define strcpy to PL_strcpy and all the usage of that is safe in libjar

I have NOT checked 1105-1106, 3921 is a duplicate of 1106.
Product: Browser → Seamonkey
Closing all open flawfinder bugs as WORKSFORME because we now have much better tools that do the same (well, better) kind of analysis (Coverity, Klocwork).
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → WORKSFORME
Component: Installer: XPI Packages → Installer
QA Contact: ktrina → general
Component: Installer → Networking: JAR
Product: SeaMonkey → Core
QA Contact: general → networking.jar
Version: Trunk → 1.0 Branch
You need to log in before you can comment on or make changes to this bug.