From - Sun Nov 4 11:39:04 2001 X-UIDL: 4bd5a7eeb0e24a21ff091e0d7f4cec01 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: Received: from cs.ida.org by fricka.csed.ida.org (SMI-8.6/SMI-SVR4) id WAA06993; Fri, 2 Nov 2001 22:22:00 -0500 Received: from mailhost.nl (webframe.nl [212.204.207.201]) by cs.ida.org (Switch-2.2.0/Switch-2.2.0) with SMTP id fA33Lxp18254 for ; Fri, 2 Nov 2001 22:21:59 -0500 (EST) Received: from x-o.clustermonkey.org (postfix@x-o.clustermonkey.org [64.242.77.225]) by mailhost.nl (8.9.3/8.9.3) with ESMTP id EAA12369 for ; Sat, 3 Nov 2001 04:21:56 +0100 Received: by x-o.clustermonkey.org (Postfix, from userid 1000) id 6B96B61E92B; Fri, 2 Nov 2001 22:21:54 -0500 (EST) Date: Fri, 2 Nov 2001 22:21:54 -0500 From: Adam Lazur To: "David A. Wheeler" Subject: [arthur@tiefighter.et.tudelft.nl: Bug#118025: flawfinder does not detect multiline strings right] Message-ID: <20011102222154.B24827@clustermonkey.org> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="rwEMma7ioTxnRzrJ" Content-Disposition: inline User-Agent: Mutt/1.3.23i X-UIDL: 4bd5a7eeb0e24a21ff091e0d7f4cec01 --rwEMma7ioTxnRzrJ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Attached is the first bug report from the Debian package of flawfinder. Replies can be sent to 118025@bugs.debian.org and they will be appended to the bug's history and also sent to the bug submitter. The bug history can be found at: http://bugs.debian.org/118025 -- Adam Lazur, Cluster Monkey --rwEMma7ioTxnRzrJ Content-Type: message/rfc822 Content-Disposition: inline X-Envelope-From: debbugs@master.debian.org Fri Nov 2 10:09:37 2001 Return-Path: Delivered-To: laz@clustermonkey.org Received: from master.debian.org (unknown [216.234.231.5]) by x-o.clustermonkey.org (Postfix) with ESMTP id 981EF61E913 for ; Fri, 2 Nov 2001 10:09:37 -0500 (EST) Received: from debbugs by master.debian.org with local (Exim 3.12 1 (Debian)) id 15zfqY-0007Zt-00; Fri, 02 Nov 2001 09:03:02 -0600 Subject: Bug#118025: flawfinder does not detect multiline strings right Reply-To: arthur@tiefighter.et.tudelft.nl, 118025@bugs.debian.org Resent-From: arthur@tiefighter.et.tudelft.nl Resent-To: debian-bugs-dist@lists.debian.org Resent-Cc: Adam Lazur Resent-Date: Fri, 02 Nov 2001 15:03:02 GMT Resent-Message-ID: X-Debian-PR-Message: report 118025 X-Debian-PR-Package: flawfinder X-Loop: owner@bugs.debian.org Received: via spool by submit@bugs.debian.org id=B.100471287428113 (code B ref -1); Fri, 02 Nov 2001 15:03:02 GMT From: arthur@tiefighter.et.tudelft.nl X-Authentication-Warning: ch.twi.tudelft.nl: arthur owned process doing -bs Date: Fri, 2 Nov 2001 15:54:02 +0100 (CET) X-Sender: arthur@ch.twi.tudelft.nl To: submit@bugs.debian.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Delivered-To: submit@bugs.debian.org Resent-Sender: Debian BTS Package: flawfinder Version: 0.17-1 Severity: normal Does strange things with respect to strings that are spread over multiple lines. Sample code: 1: static void a() 2: { 3: printf(_("a")); 4: printf(_("b" 5: "c")); 6: printf("a"); 7: printf("b" 8: "c"); 9: } Flawfinder output (partial): /tmp/tst.c:4 [4] (format) printf: if format strings can be influenced by an attacker, they can be exploited. Use a constant for the format specification. One would expect flawfinder either to report lines 3 and 4 as possible security riscs or lines 4 and 7. This is not expected behaviour. On a sindenote a disclaimer may be in order about the accuracy of the results. All things flawfinder reported on my code were no security threats. -- arthur - arthur@tiefighter.et.tudelft.nl - http://tiefighter.et.tudelft.nl/~arthur -- --rwEMma7ioTxnRzrJ--