Issues found by flawfinder
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
widelands |
Won't Fix
|
Low
|
Unassigned |
Bug Description
I recently discovered flawfinder (http://
I created the attached report with the following command:
$ flawfinder --context --falsepositive src/ > flawfinder-
Some explanation to the options; "--context" prints the line in question to easier see what the issue is about and "--falsepostive" silence some (~200) issues which are likely false positives. (Note that other issues reported might still be false positives.) In the report, after the list of files scanned it will list the issues in decending order of importance. See the number in brackets after the file name for importance, where [5] is the most severe.
Since I only recently discovered it, any issues will be too late to make it into build18 (unless something is really critical I guess). Though, I think someone should take a look at the report to see if any of them should be fixed.
PS. I initially filed this as a private security issue, since that's the kind of issues this tool finds. I don't know if that is really necessary, though since the report contains potential security issues I figured we might review and/or patch them before making this visible to the general public.
PS. For other warning reports, see bug 1258667 (Clang), bug 986611 (cppcheck) and bug 1202101 (Visual Studio).
I looked over the list of errors and believe most of them are accurate detection, i.e. there is something flawed in the source code. However I did not see a critical problem in any of them where a remote attacker could gain access to a system through Widelands. Most of them are local exploits, but since Widelands never changes its uid an attacker can not gain any privileges through this (as far as I can tell).
However, it would be nice to get the all fixed of course, most changes should be fairly mechanical.