(Small) software that needs code audit

[Josh Bressers]

> Hi,
> 
> As some of you already know I'm a computer science teacher at a Dutch
> university. Currently I'm giving a course about security.
> 
> For my next practical lesson I want my students todo an audit of a small
> piece of C-code. Nothing fancy really just looking for sprintf instead
> of snprintf, gets instead of fgets, etc. And formatstring vulnerabilities.
> 
> Does anyone know of some (small!) piece of software in Fedora (Extras)
> that could benefit from this?
> 
> And are there any other simple checks my students could do?

Checking for programs that call open(2) with O_CREAT and don't specify a
mode.  It's a terribly easy thing to look for and can be an annoying bug.
As for having students do it, it has the advantage of making them do some
code analysis since not all botched open calls are security issues.

If I call open as such

open("/tmp/feh", O_CREAT);

I end with a file called /tmp/feh with nearly random permissions (bits are
sucked off the stack to set the permissions).  It's possible the file could
be written as world writable (or many other permissions, I'll let you think
about the possibilities).

I should have called open like this

open("/tmp/feh", O_CREAT, 0);

Or if I don't want to change the permissions later, I can supply a non zero
mode.


It's also a fine idea to look for improper usage of temporary files.  Using
mktemp(3) instead of mkstemp(3).


If I could suggest part of your class teaches responsible and sane
disclosure.  A while back another CS teacher did a similar thing with a
class, and at the end of the class dumped a big email to full-disclosure
detailing the problems.  Luckily none of them were that terribly critical,
but there was much scrambling since triaging 30+ issues is painful.  Part
of finding and fixing security issues is communicating the fixes upstream
and deciding what to do about disclosure.

I love hearing about classes such as this, good luck :)

-- 
    JB