Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/gpg-remailer-3.04.05/cleartextmail/mailcommand.cc Examining data/gpg-remailer-3.04.05/cleartextmail/label.cc Examining data/gpg-remailer-3.04.05/cleartextmail/cleartextmail1.cc Examining data/gpg-remailer-3.04.05/cleartextmail/processheaders.cc Examining data/gpg-remailer-3.04.05/cleartextmail/writemailcontents.cc Examining data/gpg-remailer-3.04.05/cleartextmail/cleartextmail.h Examining data/gpg-remailer-3.04.05/enums/enums.h Examining data/gpg-remailer-3.04.05/gpg/run.cc Examining data/gpg-remailer-3.04.05/gpg/encrypt.cc Examining data/gpg-remailer-3.04.05/gpg/gpg.h Examining data/gpg-remailer-3.04.05/gpg/gpg1.cc Examining data/gpg-remailer-3.04.05/gpg/collector.cc Examining data/gpg-remailer-3.04.05/gpg/decrypt.cc Examining data/gpg-remailer-3.04.05/gpg/verify.cc Examining data/gpg-remailer-3.04.05/gpgmail/mailcommand.cc Examining data/gpg-remailer-3.04.05/gpgmail/label.cc Examining data/gpg-remailer-3.04.05/gpgmail/processheaders.cc Examining data/gpg-remailer-3.04.05/gpgmail/writemailcontents.cc Examining data/gpg-remailer-3.04.05/gpgmail/gpgmail1.cc Examining data/gpg-remailer-3.04.05/gpgmail/makeboundary.cc Examining data/gpg-remailer-3.04.05/gpgmail/gpgmail.h Examining data/gpg-remailer-3.04.05/headers/headers.h Examining data/gpg-remailer-3.04.05/headers/mailheader.cc Examining data/gpg-remailer-3.04.05/headers/headers1.cc Examining data/gpg-remailer-3.04.05/headers/fillxheaders.cc Examining data/gpg-remailer-3.04.05/headers/getheader.cc Examining data/gpg-remailer-3.04.05/logexception/logexception.h Examining data/gpg-remailer-3.04.05/logexception/msg.cc Examining data/gpg-remailer-3.04.05/mail/writecontents.cc Examining data/gpg-remailer-3.04.05/mail/mail1.cc Examining data/gpg-remailer-3.04.05/mail/writeheaders.cc Examining data/gpg-remailer-3.04.05/mail/pgpmessage.cc Examining data/gpg-remailer-3.04.05/mail/filter.cc Examining data/gpg-remailer-3.04.05/mail/mail.h Examining data/gpg-remailer-3.04.05/mail/hexchar.cc Examining data/gpg-remailer-3.04.05/mail/operatorfun.cc Examining data/gpg-remailer-3.04.05/mail/inspect.cc Examining data/gpg-remailer-3.04.05/mailer/mailer.h Examining data/gpg-remailer-3.04.05/mailerbase/contentheader.cc Examining data/gpg-remailer-3.04.05/mailerbase/sendmail.cc Examining data/gpg-remailer-3.04.05/mailerbase/setrecipients.cc Examining data/gpg-remailer-3.04.05/mailerbase/mailerbase1.cc Examining data/gpg-remailer-3.04.05/mailerbase/mailerbase.h Examining data/gpg-remailer-3.04.05/mailerbase/headers.cc Examining data/gpg-remailer-3.04.05/mailerbase/cleanupheader.cc Examining data/gpg-remailer-3.04.05/main.cc Examining data/gpg-remailer-3.04.05/preamble.cc Examining data/gpg-remailer-3.04.05/remailer/setreplyto.cc Examining data/gpg-remailer-3.04.05/remailer/collect.cc Examining data/gpg-remailer-3.04.05/remailer/setdebug.cc Examining data/gpg-remailer-3.04.05/remailer/multipart.cc Examining data/gpg-remailer-3.04.05/remailer/data.cc Examining data/gpg-remailer-3.04.05/remailer/copytoboundary2.cc Examining data/gpg-remailer-3.04.05/remailer/remailer.h Examining data/gpg-remailer-3.04.05/remailer/simple.cc Examining data/gpg-remailer-3.04.05/remailer/configfield.cc Examining data/gpg-remailer-3.04.05/remailer/checkrelax.cc Examining data/gpg-remailer-3.04.05/remailer/encryptiontype.cc Examining data/gpg-remailer-3.04.05/remailer/setfilenames.cc Examining data/gpg-remailer-3.04.05/remailer/writereencrypted.cc Examining data/gpg-remailer-3.04.05/remailer/multifield.cc Examining data/gpg-remailer-3.04.05/remailer/checkmembers.cc Examining data/gpg-remailer-3.04.05/remailer/mailcontents.cc Examining data/gpg-remailer-3.04.05/remailer/setcleartext.cc Examining data/gpg-remailer-3.04.05/remailer/remailer1.cc Examining data/gpg-remailer-3.04.05/remailer/setlog.cc Examining data/gpg-remailer-3.04.05/remailer/multipartsigned.cc Examining data/gpg-remailer-3.04.05/remailer/reencrypt.cc Examining data/gpg-remailer-3.04.05/remailer/copysignature.cc Examining data/gpg-remailer-3.04.05/remailer/signaturefilter.cc Examining data/gpg-remailer-3.04.05/remailer/mail.cc Examining data/gpg-remailer-3.04.05/remailer/hasboundary.cc Examining data/gpg-remailer-3.04.05/remailer/filetoreencrypt.cc Examining data/gpg-remailer-3.04.05/remailer/destructor.cc Examining data/gpg-remailer-3.04.05/remailer/findboundary.cc Examining data/gpg-remailer-3.04.05/remailer/setsigrequired.cc Examining data/gpg-remailer-3.04.05/remailer/copytoboundary.cc Examining data/gpg-remailer-3.04.05/remailer/setkeepfiles.cc Examining data/gpg-remailer-3.04.05/remailer/decrypt.cc Examining data/gpg-remailer-3.04.05/remailer/step.cc Examining data/gpg-remailer-3.04.05/remailer/setsuffixnr.cc Examining data/gpg-remailer-3.04.05/remailer/envelopeok.cc Examining data/gpg-remailer-3.04.05/remailer/preparations.cc Examining data/gpg-remailer-3.04.05/remailer/setumask.cc Examining data/gpg-remailer-3.04.05/remailer/strtounsigned.cc Examining data/gpg-remailer-3.04.05/usage.cc Examining data/gpg-remailer-3.04.05/version.cc Examining data/gpg-remailer-3.04.05/VERSION.h FINAL RESULTS: data/gpg-remailer-3.04.05/remailer/setlog.cc:17:5: [5] (race) chmod: This accepts filename arguments; if an attacker can move those files, a race condition results. (CWE-362). Use fchmod( ) instead. chmod(name.c_str(), S_IRUSR | S_IWUSR); data/gpg-remailer-3.04.05/remailer/setsuffixnr.cc:7:9: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. if (random) data/gpg-remailer-3.04.05/remailer/setsuffixnr.cc:23:38: [3] (random) random: This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327). Use a more secure technique for acquiring random values. (random ? "random" : "via --nr") << ")\n"; data/gpg-remailer-3.04.05/cleartextmail/writemailcontents.cc:6:16: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). Exception::open(in, mailData); data/gpg-remailer-3.04.05/cleartextmail/writemailcontents.cc:9:16: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). Exception::open(out, d_mailName); data/gpg-remailer-3.04.05/gpg/collector.cc:7:16: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). Exception::open(outStream, out); data/gpg-remailer-3.04.05/gpg/run.cc:20:16: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). Exception::open(inStream, in); data/gpg-remailer-3.04.05/gpgmail/writemailcontents.cc:6:16: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). Exception::open(in, mailData); data/gpg-remailer-3.04.05/gpgmail/writemailcontents.cc:9:16: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). Exception::open(out, d_mailName); data/gpg-remailer-3.04.05/mail/hexchar.cc:13:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char buffer[3]; data/gpg-remailer-3.04.05/mail/writecontents.cc:8:19: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). LogException::open(out, contentsName); data/gpg-remailer-3.04.05/mail/writeheaders.cc:6:19: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). LogException::open(out, hdrsName); data/gpg-remailer-3.04.05/remailer/copysignature.cc:13:19: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). LogException::open(sig, d_signatureName); data/gpg-remailer-3.04.05/remailer/copytoboundary2.cc:8:19: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). LogException::open(out, destName); data/gpg-remailer-3.04.05/remailer/filetoreencrypt.cc:12:19: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). LogException::open(io.decrypted, d_decryptedName); // decrypted.1 data/gpg-remailer-3.04.05/remailer/filetoreencrypt.cc:13:19: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). LogException::open(io.toReencrypt, d_reencryptName); // reencrypt.1 data/gpg-remailer-3.04.05/remailer/multipartsigned.cc:62:19: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). LogException::open(data, d_multipartSignedDataName); data/gpg-remailer-3.04.05/remailer/setlog.cc:16:11: [2] (misc) open: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). d_log.open(name); data/gpg-remailer-3.04.05/remailer/setumask.cc:14:5: [1] (access) umask: Ensure that umask is given most restrictive possible setting (e.g., 066 or 077) (CWE-732). umask(umaskValue); ANALYSIS SUMMARY: Hits = 19 Lines analyzed = 2173 in approximately 0.10 seconds (21388 lines/second) Physical Source Lines of Code (SLOC) = 1494 Hits@level = [0] 0 [1] 1 [2] 15 [3] 2 [4] 0 [5] 1 Hits@level+ = [0+] 19 [1+] 19 [2+] 18 [3+] 3 [4+] 1 [5+] 1 Hits/KSLOC@level+ = [0+] 12.7175 [1+] 12.7175 [2+] 12.0482 [3+] 2.00803 [4+] 0.669344 [5+] 0.669344 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.