[Python-bugs-list] [ python-Bugs-429084 ] Results of running Flawfinder
noreply@sourceforge.net
noreply@sourceforge.net
Tue, 07 Aug 2001 07:21:13 -0700
Bugs item #429084, was opened at 2001-05-31 10:31
You can respond by visiting:
http://sourceforge.net/tracker/?func=detail&atid=105470&aid=429084&group_id=5470
Category: Python Interpreter Core
Group: None
>Status: Closed
Resolution: None
Priority: 2
Submitted By: Itamar Shtull-Trauring (itamar)
Assigned to: Nobody/Anonymous (nobody)
Summary: Results of running Flawfinder
Initial Comment:
I tried running Flawfinder
(http://www.dwheeler.com/flawfinder/) on the Python
source code. SInce I'm not nasty I won't paste *all* of
the errors found, but here some:
/usr/src/python-cvs/Modules/flmodule.c:373 [2] (buffer)
sprintf: does not check for buffer overflows. Use
snprintf or vsnprintf. Risk is low because the source
has a constant maximum length
/usr/src/python-cvs/Modules/posixmodule.c:4191 [3]
(tmpfile) tempnam: temporary file race condition. .
/usr/src/python-cvs/Modules/posixmodule.c:4237 [3]
(tmpfile) tmpnam: temporary file race condition. .
/usr/src/python-cvs/Modules/_weakref.c:141 [4] (buffer)
sprintf: does not check for buffer overflows. Use
snprintf or vsnprintf.
/usr/src/python-cvs/Modules/almodule.c:51 [4] (format)
vsprintf: Potential format string problem. Make Format
string constant.
/usr/src/python-cvs/Modules/getpath.c:169 [4] (buffer)
strcat: does not check for buffer overflows. Consider
using strncat or strlcat.
There were lots more - try it and see.
----------------------------------------------------------------------
Comment By: Itamar Shtull-Trauring (itamar)
Date: 2001-08-07 07:12
Message:
Logged In: YES
user_id=32065
Well, as I said I don't know enough C in most cases to say
if they are bugs or not. However, I thought I should bring
it to the attention of those who do.
So if you say "assume that we knew what we were doing when
we wrote that code" I can't very well argue with that - so
sure, remove it :)
----------------------------------------------------------------------
Comment By: Guido van Rossum (gvanrossum)
Date: 2001-08-07 06:43
Message:
Logged In: YES
user_id=6380
I don't know how useful these results are.
Python itself doesn't use tmpnam or tempnam, but it makes
them available to Python code that wants to use them.
Whether or not that's a security problem or race condition
depends on the use context of that Python code.
If we removed these functions, we would break Python code
that uses them. Also note that where applicable, tmpnam_r is
called.
I propose to close this bug report, unless you can point to
*specific* cases where your program found an *actual* bug in
the code.
----------------------------------------------------------------------
Comment By: Itamar Shtull-Trauring (itamar)
Date: 2001-08-07 00:27
Message:
Logged In: YES
user_id=32065
My knowledge of C is rather lacking. However, some cases are
pretty easy to check. For example, here's what my Debian man
pages say about some of the above functions, under the Bugs
subheading:
tempnam: Never use this function. Use tmpfile(3) instead.
tmpnam: Never use this function. Use tmpfile(3) instead.
And it also says tmpfile is part of the POSIX standard, so
using it shouldn't be a problem.
The strcat in getpath.c seems fine since the previous line
checks that the length is less than the allowable max and it
only appends one character.
----------------------------------------------------------------------
Comment By: Jeremy Hylton (jhylton)
Date: 2001-08-06 14:16
Message:
Logged In: YES
user_id=31392
Itamar-- any interest in figuring out which of these is
really a problem?
----------------------------------------------------------------------
You can respond by visiting:
http://sourceforge.net/tracker/?func=detail&atid=105470&aid=429084&group_id=5470