Veracode static analysis results

Mark Doliner mark at kingant.net
Sat Dec 29 19:55:44 EST 2012


On Thu, Dec 13, 2012 at 6:49 PM, Elliott Sales de Andrade
<qulogic at pidgin.im> wrote:
> OK, I had a look at the 6 low issues.
>
> 4 - pidgin home/.../pidgin/gtkprefs.c 729 9085
> 4 - pidgin home/.../pidgin/gtkprefs.c 732 9056
> 4 - pidgin home/.../pidgin/gtkprefs.c 773 9055
> 4 - pidgin home/.../pidgin/gtkprefs.c 780 9058
>
> These are all `g_rename` and `g_remove` for themes that are dragged
> onto the prefs window. `g_rename` the temp file/directory into the
> `~/.purple` theme directory and `g_remove` the temporary one. Maybe
> the `g_rename` should be checked.

I added logging for 3 of the 4 in trunk (not in 2.x.y).  I believe the
fourth one will sometimes legitimately fail in some circumstances, and
so it doesn't make sense to log an error (we could maybe try to keep
track of whether we actually NEED to g_remove and only call it when we
need to, but I don't think it's worth it).

> 5 - libpurple.so home/.../libpurple/log.c 838 8992
>
> This is an `unlink` used to remove a logged image if it's not saved
> correctly, so the return value isn't too important. However, maybe
> this one should be g_unlink since we use g_fopen?

I added a logging statement and changed unlink to g_unlink in trunk (not 2.x.y).


More information about the security mailing list