Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
Examining data/sddm-kcm-5.19.5/sddmauthhelper.h
Examining data/sddm-kcm-5.19.5/sddmauthhelper.cpp
Examining data/sddm-kcm-5.19.5/sddmthemeinstaller.cpp
Examining data/sddm-kcm-5.19.5/src/usersmodel.h
Examining data/sddm-kcm-5.19.5/src/usersmodel.cpp
Examining data/sddm-kcm-5.19.5/src/themesmodel.h
Examining data/sddm-kcm-5.19.5/src/sddmkcm.cpp
Examining data/sddm-kcm-5.19.5/src/sessionmodel.h
Examining data/sddm-kcm-5.19.5/src/themesmodel.cpp
Examining data/sddm-kcm-5.19.5/src/sddmkcm.h
Examining data/sddm-kcm-5.19.5/src/sessionmodel.cpp
Examining data/sddm-kcm-5.19.5/src/thememetadata.h
Examining data/sddm-kcm-5.19.5/src/configwidgets/selectimagebutton.cpp
Examining data/sddm-kcm-5.19.5/src/configwidgets/selectimagebutton.h
Examining data/sddm-kcm-5.19.5/src/themesdelegate.h
Examining data/sddm-kcm-5.19.5/src/themeconfig.cpp
Examining data/sddm-kcm-5.19.5/src/themeconfig.h
Examining data/sddm-kcm-5.19.5/src/thememetadata.cpp
Examining data/sddm-kcm-5.19.5/src/themesdelegate.cpp
Examining data/sddm-kcm-5.19.5/src/advancedconfig.cpp
Examining data/sddm-kcm-5.19.5/src/advancedconfig.h
FINAL RESULTS:
data/sddm-kcm-5.19.5/sddmauthhelper.cpp:75:9: [5] (race) chown:
This accepts filename arguments; if an attacker can move those files, a
race condition results. (CWE-362). Use fchown( ) instead.
if (chown(destinationConverted, sddmUser.userId().nativeId(), sddmUser.groupId().nativeId())) {
data/sddm-kcm-5.19.5/sddmauthhelper.cpp:53:14: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
file.open(QIODevice::WriteOnly);
data/sddm-kcm-5.19.5/sddmauthhelper.cpp:344:19: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (!archive->open(QIODevice::ReadOnly)) {
data/sddm-kcm-5.19.5/src/sessionmodel.cpp:64:24: [2] (misc) open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
if (!inputFile.open(QIODevice::ReadOnly))
data/sddm-kcm-5.19.5/src/sessionmodel.cpp:66:55: [1] (buffer) strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
SessionPtr si { new Session { session.chopped(strlen(".desktop")), QString(), QString(), QString() } };
data/sddm-kcm-5.19.5/src/thememetadata.cpp:49:5: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
read(d->path + QStringLiteral("metadata.desktop"));
data/sddm-kcm-5.19.5/src/thememetadata.cpp:70:21: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
void ThemeMetadata::read(const QString &filename)
data/sddm-kcm-5.19.5/src/thememetadata.h:51:10: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
void read(const QString &filename);
ANALYSIS SUMMARY:
Hits = 8
Lines analyzed = 2502 in approximately 0.10 seconds (25595 lines/second)
Physical Source Lines of Code (SLOC) = 1634
Hits@level = [0] 0 [1] 4 [2] 3 [3] 0 [4] 0 [5] 1
Hits@level+ = [0+] 8 [1+] 8 [2+] 4 [3+] 1 [4+] 1 [5+] 1
Hits/KSLOC@level+ = [0+] 4.89596 [1+] 4.89596 [2+] 2.44798 [3+] 0.611995 [4+] 0.611995 [5+] 0.611995
Dot directories skipped = 1 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.