David A. Wheeler's Blog

Tue, 15 Jun 2004

I’ve released yet another new version of flawfinder - now it’s version 1.26. Flawfinder is a simple program that examines C/C++ source code and reports on likely security flaws in the program, ranked by risk level. When I announced flawfinder version 1.25, people responded with a flurry of useful improvements, so I thought I’d incorporate those right away for all to enjoy.

You can view the Flawfinder ChangeLog for the details. Here are some of the highlights:

Added code to better support Microsoft’s approach to internationalization, based in large part on work by Jared Robinson (thanks!!). This adds many more functions: _getts(), vswprintf(), _stprintf(), _vstprintf(), vwprintf(), vfwprintf(), _vtprintf(), _ftprintf(), _vftprintf(), _sntprintf(), _vsntprintf(), _ftscanf(), and _gettc(). The macros _T() and _TEXT() are treated like gettext(), to eliminate spurious warnings.
Added two new rules for GLib functions, “g_get_home_dir” and “g_get_tmp_dir”, per a suggestion by Steve Kemp. This closes the wishlist item in Debian bug report #250432. Contributors - please email wishlist items to me; I can’t monitor every distribution’s local bug tracking system. PLEASE tell upstream developers when there’s a bug/wishlist item, we can’t fix it if we don’t know.
I added rules, e.g., for curl_getenv() (another getenv-like function), as well as more rules for input functions: recv, recvfrom, recvmsg, fread, and readv.
I tightened the false positive test slightly; if a name is followed by = or - or + it’s unlikely to be a function call, so it’ll be quietly discarded.
I modified the summary report format slightly, to make it nicer.
I modified the getpass text to remove an extraneous character, thanks to a bug report from Joerg Beyer (thanks!).
I modified the installation instructions to clarify how to set INSTALL_DIR at run-time so it installs elsewhere. Flawfinder uses the standard GNU conventions, but not everyone knows about them. By default, flawfinder installs in /usr/local. Just use normal make overrides to change that, e.g., make INSTALL_DIR=/usr INSTALL_DIR_MAN=/usr/share/man install I do NOT use the ?= macro-setting commands in the makefile, because that’s not standard (e.g., it’s not in SUSv3), so while that would work in GNU make, it wouldn’t work in others. I did this to answer some questions about installation - the flexibility has always been there, but now it’s documented in a clearer way.

NOTE: Due to an error on my part, the tar file for version 1.25 on my website was for a short period (between 2004-06-05 and 2004-06-15) actually a functional equivalent of version 1.26 (without some stuff that only affects me), incorrectly labelled as 1.25. This wasn’t true for the RPM packages (the 1.25s stayed as 1.25), so suspicious people could look inside the RPM packages to see if the tar file within was correct. In some sense this wasn’t a serious problem - tar users got the latest version of flawfinder a little sooner than I intended. But I really want version numbers to mean what they say, and I know others do too; for those folks, my sincere apologies!! Please upgrade to 1.26, since that way you’ll be SURE to get the right version. If you want to check, here are the md5sum’s of various correct files:

dcdd0a7a5b9dc8d0ffc85c1a5833bc43  flawfinder-1.25-1.noarch.rpm
744f0cc317c583de6d295860db3c7cbe  flawfinder-1.25-1.src.rpm
fa5b644e00aa4862de5b790f0e1a3ad7  flawfinder-1.25.tar.gz (the real 1.25)
530b11016c52d473ebb7bc9639d4338b  flawfinder-1.26-1.noarch.rpm
cbc61513620bc7b17bcc29f8eb50fb9f  flawfinder-1.26-1.src.rpm
242a90ecf2f21a709a2425c8771ef38e  flawfinder-1.26.tar.gz

Here’s the md5sum of the file that was briefly labelled as flawfinder-1.25.tar.gz, but was actually a functional equivalent of 1.26:

e1fa5fcb540b91d27c3ae427595a182e  flawfinder-1.25.tar.gz-actually1.26

Just go to the flawfinder home page to get the latest version.

path: /security | Current Weblog | permanent link to this entry