Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/libnetaddr-ip-perl-4.079+dfsg/Lite/Util/configure.cc
Examining data/libnetaddr-ip-perl-4.079+dfsg/Lite/Util/localconf.h
FINAL RESULTS:
data/libnetaddr-ip-perl-4.079+dfsg/Lite/Util/configure.cc:562:12: [5] (buffer) gets:
Does not check for buffer overflows (CWE-120, CWE-20). Use fgets() instead.
# so uname gets run too.
data/libnetaddr-ip-perl-4.079+dfsg/Lite/Util/configure.cc:3448:27: [5] (buffer) gets:
Does not check for buffer overflows (CWE-120, CWE-20). Use fgets() instead.
# /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi.
data/libnetaddr-ip-perl-4.079+dfsg/Lite/Util/configure.cc:37:53: [4] (format) printf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
# Printing a long string crashes Solaris 7 /usr/bin/printf.
data/libnetaddr-ip-perl-4.079+dfsg/Lite/Util/configure.cc:48:12: [4] (format) printf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
as_echo='printf %s\n'
data/libnetaddr-ip-perl-4.079+dfsg/Lite/Util/configure.cc:49:14: [4] (format) printf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
as_echo_n='printf %s'
data/libnetaddr-ip-perl-4.079+dfsg/Lite/Util/configure.cc:1259:27: [4] (shell) system:
This causes a new program to execute and is difficult to use safely
(CWE-78). try using a library call that implements the same functionality
if available.
--sbindir=DIR system admin executables [EPREFIX/sbin]
data/libnetaddr-ip-perl-4.079+dfsg/Lite/Util/configure.cc:4552:15: [4] (format) printf:
If format strings can be influenced by an attacker, they can be exploited
(CWE-134). Use a constant for the format specification.
elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then
data/libnetaddr-ip-perl-4.079+dfsg/Lite/Util/configure.cc:1931:13: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
FILE *f = fopen ("conftest.val", "w");
data/libnetaddr-ip-perl-4.079+dfsg/Lite/Util/configure.cc:2800:11: [2] (misc) fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
FILE *f = fopen ("conftest.out", "w");
data/libnetaddr-ip-perl-4.079+dfsg/Lite/Util/configure.cc:1957:24: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
echo >>conftest.val; read $3 <conftest.val; ac_retval=0
data/libnetaddr-ip-perl-4.079+dfsg/Lite/Util/configure.cc:5089:9: [1] (access) umask:
Ensure that umask is given most restrictive possible setting (e.g., 066 or
077) (CWE-732).
tmp=`(umask 077 && mktemp -d "./confXXXXXX") 2>/dev/null` &&
data/libnetaddr-ip-perl-4.079+dfsg/Lite/Util/configure.cc:5094:4: [1] (access) umask:
Ensure that umask is given most restrictive possible setting (e.g., 066 or
077) (CWE-732).
(umask 077 && mkdir "$tmp")
ANALYSIS SUMMARY:
Hits = 12
Lines analyzed = 5481 in approximately 0.25 seconds (22052 lines/second)
Physical Source Lines of Code (SLOC) = 2788
Hits@level = [0] 2 [1] 3 [2] 2 [3] 0 [4] 5 [5] 2
Hits@level+ = [0+] 14 [1+] 12 [2+] 9 [3+] 7 [4+] 7 [5+] 2
Hits/KSLOC@level+ = [0+] 5.02152 [1+] 4.30416 [2+] 3.22812 [3+] 2.51076 [4+] 2.51076 [5+] 0.71736
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.