Closed
Bug 173751
Opened 22 years ago
Closed 21 years ago
flawfinder warnings in sun-java
Categories
(Core Graveyard :: Java: OJI, defect)
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: morse, Assigned: yuanyi21)
References
Details
Heikki ran flawfinder (http://www.dwheeler.com/flawfinder) on Mozilla 1.0.1 branch. flawfinder found 1 warning in sun-java code (2191). Go through that list and for each warning: * If it is false positive, comment here why it is not an issue * If it is a real issue, make patch for it here and let's get them checked in In addition to checking the branch, also check the trunk. 2191) sun-java/stubs/include/jni.h:1744 [4] (format) vfprintf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification.
Comment 2•22 years ago
|
||
Reporter, Please provide the steps for us to reproduce the problem. It will save us a lot of time then.
Reporter | ||
Comment 3•22 years ago
|
||
There are no steps to reproduce the problem. These are simply warning messages that flawfinder spit out. There may or may not be a problem. You'll have to look at the code and make a determination.
The warning comes from a function member in a struct. The function is vfprintf. Looking at our code it seems like this struct will always be initialized to something a Java VM on the computer will provide, and we do not explicitly do anything with this so it looks safe from our point of view. However, I don't know who can call this function (Java code on a web page?), how it is implemented in the VM and so on... Leaving open since I am not sure...
Joshua, download Flawfinder (URL In the first comment) and run it on mozilla/sun-java directory. Flawfinder statically analyzes code, and reports potentially dangerous code (as in, may contain code that a malicious hacker could exploit). We need to manually go over the Flawfinder warnings and determine if we need to fix our code or if the warning was bogus. Please report your findings here.
From my investigation, the function vfprintf which caused the warning message belongs to struct JDK1_1InitArgs. JDK1_1InitArgs is only used as an argument of a JNI function JNI_GetDefaultJavaVMInitArgs which is obsoleted since jdk1.2 released. So we don't need to worry about this warning.
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•