Closed Bug 173998 Opened 20 years ago Closed 20 years ago

flawfinder warnings in smime

Categories

(MailNews Core :: Security: S/MIME, defect, P3)

1.0 Branch
x86
Windows NT
defect

Tracking

(Not tracked)

VERIFIED INVALID

People

(Reporter: morse, Assigned: ssaux)

References

Details

Heikki ran flawfinder (http://www.dwheeler.com/flawfinder) on Mozilla 1.0.1 
branch.

flawfinder found 1 warnings in smime code (3742). Go through
that list and for each warning:

* If it is false positive, comment here why it is not an issue
* If it is a real issue, make patch for it here and let's get them checked in

In addition to checking the branch, also check the trunk.

3742) mailnews/extensions/smime/src/nsMsgComposeSecure.cpp:162 [3] (random) 
srand: This function is not sufficiently random for security-related functions 
such as key and nonce creation. use a more secure technique for acquiring random 
values.
Blocks: 148251
Reassigning to PSM, S/MIME.
Assignee: mstoltz → ssaux
Component: Security: General → S/MIME
Product: MailNews → PSM
QA Contact: junruh → carosendahl
Version: other → unspecified
Priority: -- → P3
Version: unspecified → 2.4
I suggest to resolve this bug as invalid.

The only suggestion being made here is about the pseudo randomness of the numbers.

However, in the place where the random function is used, we do not require real
randomness. All we require is a pseudo random mime part separator string, that
is unlikely to collide with other parts within the same MIME message. This
number is not used for anything hidden, it is readable in the clear anyway.

CC'ing Jean-Francois, in case he has to make similar decisions in other parts of
the mailnews MIME code.
I agree with Kai - there are no security issues here.
Ok, based on your comments marking as INVALID. Thanks.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → INVALID
verf'd
Status: RESOLVED → VERIFIED
Product: PSM → Core
Version: psm2.4 → 1.0 Branch
Product: Core → MailNews Core
QA Contact: carosendahl → s.mime
You need to log in before you can comment on or make changes to this bug.