[brlcad-tracker] [ brlcad-Support Requests-1460888 ] Possible buffer overflows and security issues
Open Source Solid Modeling CAD
Brought to you by:
brlcad
From: SourceForge.net <no...@so...> - 2006-06-21 20:45:24
|
Support Requests item #1460888, was opened at 2006-03-29 19:20 Message generated for change (Comment added) made by brlcad You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=640803&aid=1460888&group_id=105292 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Analysis Group: release 7.6 Status: Open Resolution: None Priority: 8 Submitted By: Pedro F. Giffuni (giffunip) Assigned to: Sean Morrison (brlcad) Summary: Possible buffer overflows and security issues Initial Comment: Hi; Considering the great job finding bugs done by Coverity on other open source projects I went looking for similar tools and I found FlawFinder, a very easy to use security checker. I ran flawfinder on BRLCAD 7.6.6 and since the US army should be expected to keep up the finest standards in security, I thought you might be interested in the report it produced. ---------------------------------------------------------------------- >Comment By: Sean Morrison (brlcad) Date: 2006-06-21 20:45 Message: Logged In: YES user_id=785737 Having BRL-CAD added to scan.coverity.com sounds like an excellent idea... I'm looking into it. Thanks for the link! ---------------------------------------------------------------------- Comment By: Pedro F. Giffuni (giffunip) Date: 2006-04-08 20:44 Message: Logged In: YES user_id=678384 Actually that file is not as nice as the html report ;-). Many of these can be false positives, the tool is somewhat dumb in that it just looks for functions that are known to have security limitations. Valgrind is excellent for memory leaks and double free's but coverity can find yet more types of problems. Depending on developer's time we could ask brlcad added to scan.coverity.com. enjoy! ---------------------------------------------------------------------- Comment By: Sean Morrison (brlcad) Date: 2006-03-30 05:11 Message: Logged In: YES user_id=785737 That is excellent, Pedro.. thanks for running the tool and providing the report. It reads about as verbosely as the output after using our configure's --enable-warnings flag... That's a pretty hefty laundry list, but definitely one worth looking into and fixing. I've also had it planned to run valgrind on all the tools at some point as well. I'm sure it will uncover more than a few issues. Since the list you provided has a considerable number of high-risk warnings related to security, this will definitely be getting some attention. Thanks again. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=640803&aid=1460888&group_id=105292 |