Closed Bug 173751 Opened 22 years ago Closed 21 years ago

flawfinder warnings in sun-java

Categories

(Core Graveyard :: Java: OJI, defect)

Product:
Core Graveyard
Component:
Java: OJI
Platform:
x86
Windows NT
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: morse, Assigned: yuanyi21)

References

Details

Heikki ran flawfinder (http://www.dwheeler.com/flawfinder) on Mozilla 1.0.1 
branch.

flawfinder found 1 warning in sun-java code (2191). Go through
that list and for each warning:

* If it is false positive, comment here why it is not an issue
* If it is a real issue, make patch for it here and let's get them checked in

In addition to checking the branch, also check the trunk.

2191) sun-java/stubs/include/jni.h:1744 [4] (format) vfprintf: if format strings 
can be influenced by an attacker, they can be exploited. Use a constant for the 
format specification.
Blocks: 148251
QA Contact: pmac → petersen
reassign to me
Assignee: joe.chou → joshua.xia
Reporter, Please provide the steps for us to reproduce the problem. It will 
save us a lot of time then.
There are no steps to reproduce the problem.  These are simply warning messages
that flawfinder spit out.  There may or may not be a problem.  You'll have to
look at the code and make a determination.
The warning comes from a function member in a struct. The function is vfprintf.
Looking at our code it seems like this struct will always be initialized to
something a Java VM on the computer will provide, and we do not explicitly do
anything with this so it looks safe from our point of view. However, I don't
know who can call this function (Java code on a web page?), how it is
implemented in the VM and so on... Leaving open since I am not sure...
reporter: how to reproduce?
Status: NEW → ASSIGNED
Joshua, download Flawfinder (URL In the first comment) and run it on
mozilla/sun-java directory.

Flawfinder statically analyzes code, and reports potentially dangerous code (as
in, may contain code that a malicious hacker could exploit). We need to manually
go over the Flawfinder warnings and determine if we need to fix our code or if
the warning was bogus.

Please report your findings here.
->kyle
Assignee: joshua.xia → kyle.yuan
Status: ASSIGNED → NEW
From my investigation, the function vfprintf which caused the warning message
belongs to struct JDK1_1InitArgs. JDK1_1InitArgs is only used as an argument of
a JNI function JNI_GetDefaultJavaVMInitArgs which is obsoleted since jdk1.2
released.
So we don't need to worry about this warning.
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → INVALID
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.