Closed
Bug 173998
Opened 23 years ago
Closed 23 years ago
flawfinder warnings in smime
Categories
(MailNews Core :: Security: S/MIME, defect, P3)
Tracking
(Not tracked)
VERIFIED
INVALID
People
(Reporter: morse, Assigned: ssaux)
References
Details
Heikki ran flawfinder (http://www.dwheeler.com/flawfinder) on Mozilla 1.0.1
branch.
flawfinder found 1 warnings in smime code (3742). Go through
that list and for each warning:
* If it is false positive, comment here why it is not an issue
* If it is a real issue, make patch for it here and let's get them checked in
In addition to checking the branch, also check the trunk.
3742) mailnews/extensions/smime/src/nsMsgComposeSecure.cpp:162 [3] (random)
srand: This function is not sufficiently random for security-related functions
such as key and nonce creation. use a more secure technique for acquiring random
values.
Reassigning to PSM, S/MIME.
Assignee: mstoltz → ssaux
Component: Security: General → S/MIME
Product: MailNews → PSM
QA Contact: junruh → carosendahl
Version: other → unspecified
|
||
Updated•23 years ago
|
Priority: -- → P3
Version: unspecified → 2.4
|
||
Comment 2•23 years ago
|
||
I suggest to resolve this bug as invalid.
The only suggestion being made here is about the pseudo randomness of the numbers.
However, in the place where the random function is used, we do not require real
randomness. All we require is a pseudo random mime part separator string, that
is unlikely to collide with other parts within the same MIME message. This
number is not used for anything hidden, it is readable in the clear anyway.
CC'ing Jean-Francois, in case he has to make similar decisions in other parts of
the mailnews MIME code.
|
|
||
Comment 3•23 years ago
|
||
I agree with Kai - there are no security issues here.
Ok, based on your comments marking as INVALID. Thanks.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•