Flawfinder version 2.0.10, (C) 2001-2019 David A. Wheeler. Number of rules (primarily dangerous function names) in C/C++ ruleset: 223 Examining data/pidgin-otr-4.0.2/otr-plugin.c Examining data/pidgin-otr-4.0.2/dialogs.c Examining data/pidgin-otr-4.0.2/otr-plugin.h Examining data/pidgin-otr-4.0.2/gtk-ui.c Examining data/pidgin-otr-4.0.2/dialogs.h Examining data/pidgin-otr-4.0.2/ui.h Examining data/pidgin-otr-4.0.2/ui.c Examining data/pidgin-otr-4.0.2/gtk-dialog.c Examining data/pidgin-otr-4.0.2/tooltipmenu.c Examining data/pidgin-otr-4.0.2/gtk-dialog.h Examining data/pidgin-otr-4.0.2/tooltipmenu.h Examining data/pidgin-otr-4.0.2/otr-icons.h Examining data/pidgin-otr-4.0.2/gtk-ui.h FINAL RESULTS: data/pidgin-otr-4.0.2/dialogs.c:132:62: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. void otrg_dialog_unknown_fingerprint(OtrlUserState us, const char *accountname, data/pidgin-otr-4.0.2/dialogs.c:133:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const char *protocol, const char *who, unsigned char fingerprint[20]) data/pidgin-otr-4.0.2/dialogs.c:133:30: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const char *protocol, const char *who, unsigned char fingerprint[20]) data/pidgin-otr-4.0.2/dialogs.c:133:50: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const char *protocol, const char *who, unsigned char fingerprint[20]) data/pidgin-otr-4.0.2/dialogs.h:60:57: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. void (*unknown_fingerprint)(OtrlUserState us, const char *accountname, data/pidgin-otr-4.0.2/dialogs.h:61:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const char *protocol, const char *who, unsigned char fingerprint[20]); data/pidgin-otr-4.0.2/dialogs.h:61:30: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const char *protocol, const char *who, unsigned char fingerprint[20]); data/pidgin-otr-4.0.2/dialogs.h:61:50: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const char *protocol, const char *who, unsigned char fingerprint[20]); data/pidgin-otr-4.0.2/dialogs.h:139:62: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. void otrg_dialog_unknown_fingerprint(OtrlUserState us, const char *accountname, data/pidgin-otr-4.0.2/dialogs.h:140:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const char *protocol, const char *who, unsigned char fingerprint[20]); data/pidgin-otr-4.0.2/dialogs.h:140:30: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const char *protocol, const char *who, unsigned char fingerprint[20]); data/pidgin-otr-4.0.2/dialogs.h:140:50: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const char *protocol, const char *who, unsigned char fingerprint[20]); data/pidgin-otr-4.0.2/gtk-dialog.c:647:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char our_hash[OTRL_PRIVKEY_FPRINT_HUMAN_LEN], data/pidgin-otr-4.0.2/gtk-dialog.c:1117:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const char *accountname, const char *protocol, const char *who, data/pidgin-otr-4.0.2/gtk-dialog.c:1117:33: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const char *accountname, const char *protocol, const char *who, data/pidgin-otr-4.0.2/gtk-dialog.c:1117:55: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const char *accountname, const char *protocol, const char *who, data/pidgin-otr-4.0.2/gtk-dialog.c:1118:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char fingerprint[20]) data/pidgin-otr-4.0.2/gtk-dialog.c:1273:14: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char fingerprint[20]; data/pidgin-otr-4.0.2/gtk-dialog.c:1385:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char our_hash[OTRL_PRIVKEY_FPRINT_HUMAN_LEN], data/pidgin-otr-4.0.2/gtk-ui.c:99:2: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char fingerprint_buf[OTRL_PRIVKEY_FPRINT_HUMAN_LEN]; data/pidgin-otr-4.0.2/gtk-ui.c:163:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char hash[OTRL_PRIVKEY_FPRINT_HUMAN_LEN]; data/pidgin-otr-4.0.2/gtk-ui.c:800:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char *titles[5]; data/pidgin-otr-4.0.2/otr-plugin.c:105:17: [2] (misc) fopen: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362). #define g_fopen fopen data/pidgin-otr-4.0.2/otr-plugin.c:320:8: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const char *accountname, const char *protocol, const char *username, data/pidgin-otr-4.0.2/otr-plugin.c:320:33: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const char *accountname, const char *protocol, const char *username, data/pidgin-otr-4.0.2/otr-plugin.c:320:55: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. const char *accountname, const char *protocol, const char *username, data/pidgin-otr-4.0.2/otr-plugin.c:321:11: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. unsigned char fingerprint[20]) data/pidgin-otr-4.0.2/otr-plugin.c:1112:5: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. char storeline[50]; data/pidgin-otr-4.0.2/otr-plugin.c:1141:18: [2] (integer) atoi: Unless checked, the resulting number can exceed the expected range (CWE-190). If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended). *mms_in_table = atoi(mms); data/pidgin-otr-4.0.2/gtk-dialog.c:306:15: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). secret_len = strlen(secret); data/pidgin-otr-4.0.2/gtk-dialog.c:321:32: [1] (buffer) strlen: Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected) (CWE-126). if (user_question == NULL || strlen(user_question) == 0) { data/pidgin-otr-4.0.2/gtk-dialog.c:675:5: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). Risk is low because the source is a constant string. strncpy(our_hash, _("[none]"), 44); data/pidgin-otr-4.0.2/gtk-dialog.c:1403:5: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid pointers [MS-banned] (CWE-120). Risk is low because the source is a constant string. strncpy(our_hash, _("[none]"), 44); data/pidgin-otr-4.0.2/otr-plugin.c:221:12: [1] (access) umask: Ensure that umask is given most restrictive possible setting (e.g., 066 or 077) (CWE-732). mask = umask (0077); data/pidgin-otr-4.0.2/otr-plugin.c:225:5: [1] (access) umask: Ensure that umask is given most restrictive possible setting (e.g., 066 or 077) (CWE-732). umask (mask); data/pidgin-otr-4.0.2/otr-plugin.c:1033:12: [1] (access) umask: Ensure that umask is given most restrictive possible setting (e.g., 066 or 077) (CWE-732). mask = umask (0077); data/pidgin-otr-4.0.2/otr-plugin.c:1037:5: [1] (access) umask: Ensure that umask is given most restrictive possible setting (e.g., 066 or 077) (CWE-732). umask (mask); ANALYSIS SUMMARY: Hits = 37 Lines analyzed = 7685 in approximately 0.21 seconds (37444 lines/second) Physical Source Lines of Code (SLOC) = 5487 Hits@level = [0] 8 [1] 8 [2] 29 [3] 0 [4] 0 [5] 0 Hits@level+ = [0+] 45 [1+] 37 [2+] 29 [3+] 0 [4+] 0 [5+] 0 Hits/KSLOC@level+ = [0+] 8.2012 [1+] 6.74321 [2+] 5.28522 [3+] 0 [4+] 0 [5+] 0 Dot directories skipped = 1 (--followdotdir overrides) Minimum risk level = 1 Not every hit is necessarily a security vulnerability. There may be other security vulnerabilities; review your code! See 'Secure Programming HOWTO' (https://dwheeler.com/secure-programs) for more information.