[rats] Update to 2.4 Adopt patches from Slawomir Czarko <slawomir at ezono.com>
Christopher Meng
cicku at fedoraproject.org
Thu Jul 3 06:46:05 UTC 2014
commit 9eb48570f0a0d3f62a275175a9ce8a7bb01c79ef
Author: Christopher Meng <i at cicku.me>
Date: Thu Jul 3 14:45:14 2014 +0800
Update to 2.4
Adopt patches from Slawomir Czarko <slawomir at ezono.com>
.gitignore | 1 +
0001-Fix-conflicting-declaration.patch | 78 +++
0002-Fix-engine-output-and-php-extension.patch | 44 ++
....1-report.patch => 0003-Fix-report-layout.patch | 683 ++++++++++----------
rats-2.1-build-clean.patch | 96 ---
rats-2.1-lex.patch | 190 ------
rats-2.1-php.patch | 25 -
rats-2.1-gtk-vuln.patch => rats-2.4-gtk-vuln.patch | 7 +-
rats-2.4-hash.patch | 40 ++
rats.spec | 42 +-
sources | 2 +-
11 files changed, 517 insertions(+), 691 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index b227fde..a45607f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
rats-2.1.tar.gz
+/rats-2.4.tgz
diff --git a/0001-Fix-conflicting-declaration.patch b/0001-Fix-conflicting-declaration.patch
new file mode 100644
index 0000000..fb4ae7f
--- /dev/null
+++ b/0001-Fix-conflicting-declaration.patch
@@ -0,0 +1,78 @@
+From dde94386ca7ac4acb82abb01e0ae21b816006667 Mon Sep 17 00:00:00 2001
+From: Christopher Meng <i at cicku.me>
+Date: Thu, 3 Jul 2014 13:49:09 +0800
+Subject: [PATCH] Fix conflicting declaration
+
+---
+ tokens.h | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/tokens.h b/tokens.h
+index 8a68d6f..b764ae5 100644
+--- a/tokens.h
++++ b/tokens.h
+@@ -39,7 +39,7 @@
+ #define TOKEN_PHP_START (TOKEN_PERL_END + 1)
+ #define TOKEN_PHP_END (TOKEN_PHP_START + 127)
+
+-#define TOKEN_RUBY_START (TOKEN_PHP_END + 1)
++#define TOKEN_RUBY_START (TOKEN_PHP_END + 1)
+ #define TOKEN_RUBY_END (TOKEN_RUBY_START + 127)
+
+ /* Tokens that are common to multiple languages */
+@@ -93,7 +93,7 @@ extern int clex_column;
+ extern int clex_lineno;
+ extern FILE * yycin;
+ extern char * yyctext;
+-extern int yycleng;
++extern size_t yycleng;
+ extern int yyclength, yycsize;
+ extern char * yyccomment;
+
+@@ -104,7 +104,7 @@ extern int plex_column;
+ extern int plex_lineno;
+ extern FILE * yypin;
+ extern char * yyptext;
+-extern int yypleng;
++extern size_t yypleng;
+ extern char * yypcomment;
+
+ extern int yyplex(void);
+@@ -114,7 +114,7 @@ extern int perllex_column;
+ extern int perllex_lineno;
+ extern FILE * yyperlin;
+ extern char * yyperltext;
+-extern int yyperlleng;
++extern size_t yyperlleng;
+ extern char * yyperlcomment;
+ extern int yyperllex(void);
+
+@@ -123,17 +123,17 @@ extern int phplex_column;
+ extern int phplex_lineno;
+ extern FILE * yyphpin;
+ extern char * yyphptext;
+-extern int yyphpleng;
++extern size_t yyphpleng;
+ extern char * yyphpcomment;
+ extern int yyphplex(void);
+
+-/* ruby language */
+-extern int rubylex_column;
+-extern int rubylex_lineno;
+-extern FILE * yyrubyin;
+-extern char * yyrubytext;
+-extern int yyrubyleng;
+-extern char * yyrubycomment;
++/* ruby language */
++extern int rubylex_column;
++extern int rubylex_lineno;
++extern FILE * yyrubyin;
++extern char * yyrubytext;
++extern size_t yyrubyleng;
++extern char * yyrubycomment;
+ extern int yyrubylex(void);;
+
+ #endif
+--
+2.0.0
+
diff --git a/0002-Fix-engine-output-and-php-extension.patch b/0002-Fix-engine-output-and-php-extension.patch
new file mode 100644
index 0000000..f273abf
--- /dev/null
+++ b/0002-Fix-engine-output-and-php-extension.patch
@@ -0,0 +1,44 @@
+From 675434d63e1c664c781ee34fc12fea1059cd2442 Mon Sep 17 00:00:00 2001
+From: Christopher Meng <i at cicku.me>
+Date: Thu, 3 Jul 2014 14:25:21 +0800
+Subject: [PATCH] Fix engine output and php extension
+
+---
+ engine.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/engine.c b/engine.c
+index e07e8ab..23ec066 100644
+--- a/engine.c
++++ b/engine.c
+@@ -965,7 +965,9 @@ char determine_language(char *filename, FILE *fd, int forcelang)
+ setup_python(fd);
+ else if (!strcasecmp(dot, ".pl") || !strcasecmp(dot, ".pm"))
+ setup_perl(fd);
+- else if (!strcasecmp(dot, ".php"))
++ else if (!strcasecmp(dot, ".php")||
++ !strcasecmp(dot, ".php3")||
++ !strcasecmp(dot, ".php4"))
+ setup_php(fd);
+ else if (!strcasecmp(dot, ".rb"))
+ setup_ruby(fd);
+@@ -1028,6 +1030,7 @@ void process_directory(char *filename, int forcelang) {
+ dirdata.cFileName);
+ process_file(buf,forcelang);
+ }
++ closedir(dir);
+
+ error = GetLastError();
+ if (error!=ERROR_NO_MORE_FILES) {
+@@ -1043,7 +1046,7 @@ void process_directory(char *filename, int forcelang) {
+ }
+ #else
+ if((dir=opendir(filename))==NULL) {
+- fprintf(stderr,"There was a problem opening the directory.\n");
++ fprintf(stderr,"There was a problem opening the directory %s.\n");
+ return;
+ }
+ while((dirdata=readdir(dir))!=NULL) {
+--
+2.0.0
+
diff --git a/rats-2.1-report.patch b/0003-Fix-report-layout.patch
similarity index 77%
rename from rats-2.1-report.patch
rename to 0003-Fix-report-layout.patch
index 754c067..0280281 100644
--- a/rats-2.1-report.patch
+++ b/0003-Fix-report-layout.patch
@@ -1,352 +1,335 @@
-=== modified file 'report.c'
---- report.c 2007-10-09 18:57:42 +0000
-+++ report.c 2007-10-09 19:09:08 +0000
-@@ -51,7 +51,8 @@
- #else
- struct timeval time_started;
- struct timeval time_finished;
--#endif
-+#endif
-+
-
-
- /* This function EXPECTS a MALLOCED BUFFER to be passed into it, as it will
-@@ -708,24 +709,30 @@
- if (!(flags & INPUT_MODE))
- return;
-
-+ printf( "<ul>\n" );
-+
- for (ptr = input_head; ptr != (input_t *)NULL; ptr = next)
- {
- next = ptr->next;
- if (!lookup_ignore(ptr->filename, ptr->lineno, ptr->data->Name))
- {
- count++;
-- printf("<b>%s</b>: Line %d: function %s<br>\n", ptr->filename, ptr->lineno, ptr->data->Name);
-+ printf("<li><b>%s</b>: Line %d: function %s</li>\n", ptr->filename, ptr->lineno, ptr->data->Name);
- }
- free(ptr);
- }
- input_head = input_tail = (input_t *)NULL;
-
-+ printf( "</ul>\n" );
-+
- if (count > 0)
- {
+From 65b7fbc66a92edf06133c0b7f336fb11b5d1c0b9 Mon Sep 17 00:00:00 2001
+From: Christopher Meng <i at cicku.me>
+Date: Thu, 3 Jul 2014 14:41:47 +0800
+Subject: [PATCH] Fix report layout
+
+---
+ report.c | 167 ++++++++++++++++++++++++++++++++++-----------------------------
+ 1 file changed, 91 insertions(+), 76 deletions(-)
+
+diff --git a/report.c b/report.c
+index 614158a..9982f1a 100644
+--- a/report.c
++++ b/report.c
+@@ -769,24 +769,28 @@ void html_report_inputs(void)
+ if (!(flags & INPUT_MODE))
+ return;
+
++ printf( "<ul>\n" );
++
+ for (ptr = input_head; ptr != (input_t *)NULL; ptr = next)
+ {
+ next = ptr->next;
+ if (!lookup_ignore(ptr->filename, ptr->lineno, ptr->data->Name))
+ {
+ count++;
+- printf("<b>%s</b>: Line %d: function %s<br>\n", ptr->filename, ptr->lineno, ptr->data->Name);
++ printf("<li><b>%s</b>: Line %d: function %s</li>\n", ptr->filename, ptr->lineno, ptr->data->Name);
+ }
+ free(ptr);
+- }
++ }
+ input_head = input_tail = (input_t *)NULL;
+-
++
++ printf( "</ul>\n" );
++
+ if (count > 0)
+ {
- printf("<br>Double check to be sure that all input accepted from an external data source\n");
-+ printf("<p>Double check to be sure that all input accepted from an external data source\n");
-+
- printf("does not exceed the limits of the variable being used to hold it. Also make\n");
-- printf("sure that the input cannot be used in such a manner as to alter your program's\n");
-- printf("behaviour in an undesirable way.<br>\n");
-+ printf("sure that the input cannot be used in such a manner as to alter your program's\n");
-+
-+ printf("behaviour in an undesirable way.</p>\n");
- }
- }
-
-@@ -894,145 +901,171 @@
-
-
- /* Output the severity */
-- printf(" <b>Severity: %s</b><br/>\n",
-- severities[ptr->severity]);
-
- switch (ptr->type)
- {
- case BOProblem:
- if (ptr->data->BOProblem->FormatArg > 0)
- {
-- printf(" Issue: %s<br/>\n",
-+ printf("<p>Issue: <tt>%s</tt></p>\n",
- ptr->data->Name);
-- printf(" Check to be sure that the format string passed as argument %d to this\n", ptr->data->BOProblem->FormatArg);
-- printf(" function call does not come from an untrusted source that could have added\n");
-- printf(" formatting characters that the code is not prepared to handle.\n");
-- printf(" Additionally, the format string could contain `%%s' without precision that\n");
-- printf(" could result in a buffer overflow.\n");
-- printf(" <br/>\n");
-+ printf("<p>Severity: <b>%s</b></p>\n",
-+ severities[ptr->severity]);
-+
-+ printf("<p>Check to be sure that the format string passed as argument %d to this\n", ptr->data->BOProblem->FormatArg);
-+ printf("function call does not come from an untrusted source that could have added\n");
-+ printf("formatting characters that the code is not prepared to handle.\n");
-+ printf("Additionally, the format string could contain `%%s' without precision that\n");
-+ printf("could result in a buffer overflow.\n");
-+ printf("</p>\n");
- }
- if (ptr->data->BOProblem->SrcBufArg > 0)
- {
-- printf(" Issue: %s<br/>\n",
-+ printf("<p>Issue: <tt>%s</tt></p>\n",
- ptr->data->Name);
-- printf(" Check to be sure that argument %d passed to this function call will not\n", ptr->data->BOProblem->SrcBufArg);
-- printf(" copy more data than can be handled, resulting in a buffer overflow.\n");
-- printf(" <br/>\n");
-+ printf("<p>Severity: <b>%s</b></p>\n",
-+ severities[ptr->severity]);
-+ printf("<p>Check to be sure that argument %d passed to this function call will not\n", ptr->data->BOProblem->SrcBufArg);
-+ printf("copy more data than can be handled, resulting in a buffer overflow.\n");
-+ printf("</p>\n");
- }
- break;
-
- case FSProblem:
-- printf(" Issue: %s<br/>\n",
-+ printf("<p>Issue: <tt>%s</tt></p>\n",
- ptr->data->Name);
-- printf(" Check to be sure that the non-constant format string passed as argument %d \n", ptr->data->FSProblem->Arg);
-- printf(" to this function call does not come from an untrusted source that could\n");
-- printf(" have added formatting characters that the code is not prepared to handle.\n");
-- printf(" <br/>\n");
-+ printf("<p>Severity: <b>%s</b></p>\n",
-+ severities[ptr->severity]);
-+ printf("<p>Check to be sure that the non-constant format string passed as argument %d \n", ptr->data->FSProblem->Arg);
-+ printf("to this function call does not come from an untrusted source that could\n");
-+ printf("have added formatting characters that the code is not prepared to handle.\n");
-+ printf("</p>\n");
- break;
-
- case InputProblem:
-- printf(" Issue: %s<br/>\n",
-+ printf("<p>Issue: <tt>%s</tt></p>\n",
- ptr->data->Name);
-- printf(" Argument %d to this function call should be checked to ensure that it does\n", ptr->data->InputProblem->Arg);
-- printf(" not come from an untrusted source without first verifying that it contains\n");
-- printf(" nothing dangerous.\n");
-- printf(" <br/>\n");
-+ printf("<p>Severity: <b>%s</b></p>\n",
-+ severities[ptr->severity]);
-+
-+ printf("<p>Argument %d to this function call should be checked to ensure that it does\n", ptr->data->InputProblem->Arg);
-+ printf("not come from an untrusted source without first verifying that it contains\n");
-+ printf("nothing dangerous.\n");
-+ printf("</p>\n");
- break;
-
- case Info:
-- printf(" Issue: %s<br/>\n",
-+ printf("<p>Issue: <tt>%s</tt></p>\n",
- ptr->data->Name);
-+ printf("<p>Severity: <b>%s</b></p>\n",
-+ severities[ptr->severity]);
-+
- if (ptr->data->Info->Description != (char *)NULL) {
- cleanup_string(ptr->data->Info->Description);
-- printf(" %s\n", ptr->data->Info->Description);
-+ printf("<p>%s</p>\n", ptr->data->Info->Description);
- }
- if (ptr->data->Info->URL != (char *)NULL) {
- cleanup_string(ptr->data->Info->URL);
- /* This should possibly be made into it's own tag -- Robert */
-- printf(" See also:\n %s\n", ptr->data->Info->URL);
-+ printf("<p> See also:\n %s</p>\n", ptr->data->Info->URL);
- }
-- printf(" <br/>\n");
- break;
-
- case RaceConditionCheck:
-- printf(" Issue: %s<br/>\n",
-+ printf("<p>Issue: %s</p>\n",
- ptr->data->Name);
-- printf(" A potential TOCTOU (Time Of Check, Time Of Use) vulnerability exists.\n");
-- printf(" This is the first line where a check has occured.");
-+ printf("<p>Severity: <b>%s</b></p>\n",
-+ severities[ptr->severity]);
-+
-+ printf("<p>A potential TOCTOU (Time Of Check, Time Of Use) vulnerability exists.\n");
-+ printf("This is the first line where a check has occured.</p>");
- if (ptr->uses != (toctou_use_t *)NULL && ptr->uses[0].lineno != 0)
- {
-- printf("\n The following line(s) contain uses that may match up with this check:\n");
-+ printf("<p>The following line(s) contain uses that may match up with this check:\n");
- for (i = 0; ptr->uses[i].lineno != 0; i++)
- printf(" %s%d (%s)", (i == 0 ? "" : ", "), ptr->uses[i].lineno, ptr->uses[i].name);
-- printf("\n");
-+ printf("</p>\n");
- }
- else
- {
-- printf(" No matching uses were detected.\n");
-+ printf("<p>No matching uses were detected.</p>\n");
- }
-- printf(" <br/>\n");
- break;
-
- case RaceConditionUse:
-- printf(" Issue: fixed size local buffer<br/>\n");
-- printf(" A potential race condition vulnerability exists here. Normally a call\n");
-- printf(" to this function is vulnerable only when a match check precedes it. No\n");
-- printf(" check was detected, however one could still exist that could not be\n");
-- printf(" detected.\n");
-- printf(" <br/>\n");
-+ printf("<p>Issue: fixed size local buffer</p>\n");
-+ printf("<p>A potential race condition vulnerability exists here. Normally a call\n");
-+ printf("to this function is vulnerable only when a match check precedes it. No\n");
-+ printf("check was detected, however one could still exist that could not be\n");
-+ printf("detected.</p>\n");
- break;
-
- case StaticLocalBuffer:
-- printf(" Issue: fixed size global buffer<br/>\n");
-- printf(" Extra care should be taken to ensure that character arrays that are\n");
-- printf(" allocated on the stack are used safely. They are prime targets for\n");
-- printf(" buffer overflow attacks.\n");
-- printf(" <br/>\n");
-+ printf("<p>Issue: fixed size global buffer</p>\n");
-+ printf("<p>Extra care should be taken to ensure that character arrays that are\n");
-+ printf("allocated on the stack are used safely. They are prime targets for\n");
-+ printf("buffer overflow attacks.</p>\n");
- break;
-
- case StaticGlobalBuffer:
-- printf(" Issue: %s<br/>\n",
-+ printf("<p>Issue: %s</p>\n",
- ptr->data->Name);
-- printf(" Extra care should be taken to ensure that character arrays that are\n");
-+ printf("<p>Severity: <b>%s</b></p>\n",
-+ severities[ptr->severity]);
-+
-+ printf("<p>Extra care should be taken to ensure that character arrays that are\n");
- printf(" allocated with a static size are used safely. This appears to be a\n");
- printf(" global allocation and is less dangerous than a similar one on the stack.\n");
- printf(" Extra caution is still advised, however.\n");
-- printf(" <br/>\n");
-+ printf(" </p>\n");
- break;
-
- case Reference:
-- printf(" Issue: %s<br/>\n",
-+ printf("<p>Issue: %s</p>\n",
- ptr->data->Name);
-- printf(" A function call is not being made here, but a reference is being made to\n");
-+ printf("<p>Severity: <b>%s</b></p>\n",
-+ severities[ptr->severity]);
-+
-+ printf("<p>A function call is not being made here, but a reference is being made to\n");
- printf(" a name that is normally a vulnerable function. It could be being\n");
- printf(" assigned as a pointer to function.\n\n");
-- printf(" <br/>\n");
-+ printf(" </p>\n");
- break;
-
- case PythonBacktick:
-- printf(" Issue: %s<br/>\n",
-+ printf("<p>Issue: %s</p>\n",
- ptr->data->Name);
-- printf(" Do not use a variable that has been derived from untrusted sources\n");
-+ printf("<p>Severity: <b>%s</b></p>\n",
-+ severities[ptr->severity]);
-+
-+ printf("<p>Do not use a variable that has been derived from untrusted sources\n");
- printf(" within a backtick. Doing so could allow an attacker to execute\n");
- printf(" arbitrary python code.\n");
-- printf(" <br/>\n");
-+ printf(" </p>\n");
- break;
-
- case PhpBacktick:
- case PerlBacktick:
-- printf(" Issue: %s<br/>\n",
-+ printf("<p>Issue: %s</p>\n",
- ptr->data->Name);
-- printf(" The backtick will act just like an call to exec(), so care should be\n");
-+ printf("<p>Severity: <b>%s</b></p>\n",
-+ severities[ptr->severity]);
-+
-+
-+ printf("<p>The backtick will act just like an call to exec(), so care should be\n");
- printf(" exercised that the string being backtick evaluated does not come from an\n");
- printf(" untrusted source.\n");
-- printf(" <br/>\n");
-+ printf(" </p>\n");
- break;
-
- case None:
-- printf(" Issue: %s<br/>\n",
-+ printf("<p>Issue: %s</p>\n",
- ptr->data->Name);
-- printf(" Unknown!?!?\n\n");
-- printf(" <br/>\n");
-+ printf("<p>Severity: <b>%s</b></p>\n",
-+ severities[ptr->severity]);
-+
-+
-+ printf("<p> Unknown!?!?</p>\n\n");
- break;
- }
- }
-@@ -1042,7 +1075,7 @@
- vulnerability_t * ptr;
-
- /* Initial necessary cruft */
-- printf("<h2>RATS results.\n</h2><br>\n");
-+ printf("<h2>RATS results.\n</h2>\n");
-
- /* Loop iterates through all of the problems found */
- for (ptr = list_head; ptr != (vulnerability_t *)NULL; ptr = ptr->next) {
-@@ -1071,7 +1104,7 @@
- printf("<ul>\n");
- if (!(flags & SHOW_CONTEXT))
- {
-- printf("File: <b>%s</b><br/>Lines: \n",
-+ printf("<li>File: <b>%s</b><br/>Lines: \n",
- ptr->filename);
- }
- }
-@@ -1089,15 +1122,15 @@
- printf("File: <b>%s</b> Line:<b>%d", ptr->filename, ptr->lineno);
- if (flags & SHOW_COLUMNS)
- printf("[%d]", ptr->column);
-- printf("</b><br>\n");
-+ printf("</b>\n");
- ctx = getctx(ptr->filename, ptr->lineno);
- if(ctx)
- {
-- printf("%s<br>\n", ctx);
-+ ctx = xml_escape(ctx);
-+ printf("%s\n", ctx);
- free(ctx);
- }
- }
--
-
-
-
-@@ -1105,7 +1138,7 @@
- if(ptr->next==(vulnerability_t *)NULL||
- strcmp(ptr->filename,ptr->next->filename)|| ptr->type == RaceConditionCheck ||
- ptr->next->type != ptr->type || ptr->next->data != ptr->data) {
-- printf(" </ul>\n");
-+ printf("</li>\n </ul>\n");
- }
-
- /* If the next vuln is different reset the vuln_reported variable to 0 so
-@@ -1120,11 +1153,7 @@
-
- printf("<h3>Inputs detected at the following points</h3>\n");
-
-- printf("<ul>\n");
- html_report_inputs();
-- printf("</ul>\n");
--
-- printf("<br><br>\n");
-
-
- if (!(flags & NO_FOOTER))
-@@ -1146,9 +1175,9 @@
- #endif
-
-
-- printf("Total lines analyzed: <b>%d</b><br>\n", total_lines);
-- printf("Total time <b>%f</b> seconds<br>\n", fsecs);
-- printf("<b>%d</b> lines per second<br>\n", (int)(total_lines/fsecs));
-+ printf("<p>Total lines analyzed: <b>%d</b></p>\n", total_lines);
-+ printf("<p>Total time <b>%f</b> seconds</p>\n", fsecs);
-+ printf("<p><b>%d</b> lines per second</p>\n", (int)(total_lines/fsecs));
- }
-
- printf("</body></html>\n");
++ printf("<p>Double check to be sure that all input accepted from an external data source\n");
+ printf("does not exceed the limits of the variable being used to hold it. Also make\n");
+ printf("sure that the input cannot be used in such a manner as to alter your program's\n");
+- printf("behaviour in an undesirable way.<br>\n");
++ printf("behaviour in an undesirable way.</p>\n");
+ }
+ }
+
+@@ -957,106 +961,114 @@ static void build_html_vulnerability(vulnerability_t *ptr) {
+ debug_vuln_dump(ptr);
+
+ /* Output the severity */
+- printf(" <b>Severity: %s</b><br/>\n",
+- severities[ptr->severity]);
+
+ switch (ptr->type)
+ {
+ case BOProblem:
+ if (ptr->data->BOProblem->FormatArg > 0)
+ {
+- printf(" Issue: %s<br/>\n",
++ printf("<p>Issue: <tt>%s</tt></p>\n",
+ ptr->data->Name);
+- printf(" Check to be sure that the format string passed as argument %d to this\n", ptr->data->BOProblem->FormatArg);
+- printf(" function call does not come from an untrusted source that could have added\n");
+- printf(" formatting characters that the code is not prepared to handle.\n");
+- printf(" Additionally, the format string could contain `%%s' without precision that\n");
+- printf(" could result in a buffer overflow.\n");
+- printf(" <br/>\n");
++ printf("<p>Severity: <b>%s</b></p>\n",
++ severities[ptr->severity]);
++ printf("<p>Check to be sure that the format string passed as argument %d to this\n", ptr->data->BOProblem->FormatArg);
++ printf("function call does not come from an untrusted source that could have added\n");
++ printf("formatting characters that the code is not prepared to handle.\n");
++ printf("Additionally, the format string could contain `%%s' without precision that\n");
++ printf("could result in a buffer overflow.\n");
++ printf("</p>\n");
+ }
+ if (ptr->data->BOProblem->SrcBufArg > 0)
+ {
+- printf(" Issue: %s<br/>\n",
++ printf("<p>Issue: <tt>%s</tt></p>\n",
+ ptr->data->Name);
+- printf(" Check to be sure that argument %d passed to this function call will not\n", ptr->data->BOProblem->SrcBufArg);
+- printf(" copy more data than can be handled, resulting in a buffer overflow.\n");
+- printf(" <br/>\n");
++ printf("<p>Severity: <b>%s</b></p>\n",
++ severities[ptr->severity]);
++ printf("<p>Check to be sure that argument %d passed to this function call will not\n", ptr->data->BOProblem->SrcBufArg);
++ printf("copy more data than can be handled, resulting in a buffer overflow.\n");
++ printf("</p>\n");
+ }
+ break;
+
+ case FSProblem:
+- printf(" Issue: %s<br/>\n",
++ printf("<p>Issue: <tt>%s</tt></p>\n",
+ ptr->data->Name);
+- printf(" Check to be sure that the non-constant format string passed as argument %d \n", ptr->data->FSProblem->Arg);
+- printf(" to this function call does not come from an untrusted source that could\n");
+- printf(" have added formatting characters that the code is not prepared to handle.\n");
+- printf(" <br/>\n");
++ printf("<p>Severity: <b>%s</b></p>\n",
++ severities[ptr->severity]);
++ printf("<p>Check to be sure that the non-constant format string passed as argument %d \n", ptr->data->FSProblem->Arg);
++ printf("to this function call does not come from an untrusted source that could\n");
++ printf("have added formatting characters that the code is not prepared to handle.\n");
++ printf("</p>\n");
+ break;
+
+ case InputProblem:
+- printf(" Issue: %s<br/>\n",
++ printf("<p>Issue: <tt>%s</tt></p>\n",
+ ptr->data->Name);
+- printf(" Argument %d to this function call should be checked to ensure that it does\n", ptr->data->InputProblem->Arg);
+- printf(" not come from an untrusted source without first verifying that it contains\n");
+- printf(" nothing dangerous.\n");
+- printf(" <br/>\n");
++ printf("<p>Severity: <b>%s</b></p>\n",
++ severities[ptr->severity]);
++ printf("<p>Argument %d to this function call should be checked to ensure that it does\n", ptr->data->InputProblem->Arg);
++ printf("not come from an untrusted source without first verifying that it contains\n");
++ printf("nothing dangerous.\n");
++ printf("</p>\n");
+ break;
+
+ case Info:
+- printf(" Issue: %s<br/>\n",
++ printf("<p>Issue: <tt>%s</tt></p>\n",
+ ptr->data->Name);
++ printf("<p>Severity: <b>%s</b></p>\n",
++ severities[ptr->severity]);
+ if (ptr->data->Info->Description != (char *)NULL) {
+ cleanup_string(ptr->data->Info->Description);
+- printf(" %s\n", ptr->data->Info->Description);
++ printf("<p>%s</p>\n", ptr->data->Info->Description);
+ }
+ if (ptr->data->Info->URL != (char *)NULL) {
+ cleanup_string(ptr->data->Info->URL);
+ /* This should possibly be made into it's own tag -- Robert */
+- printf(" See also:\n %s\n", ptr->data->Info->URL);
++ printf("<p> See also:\n %s</p>\n", ptr->data->Info->URL);
+ }
+- printf(" <br/>\n");
+ break;
+
+ case RaceConditionCheck:
+- printf(" Issue: %s<br/>\n",
++ printf("<p>Issue: %s</p>\n",
+ ptr->data->Name);
+- printf(" A potential TOCTOU (Time Of Check, Time Of Use) vulnerability exists.\n");
+- printf(" This is the first line where a check has occured.");
++ printf("<p>Severity: <b>%s</b></p>\n",
++ severities[ptr->severity]);
++ printf("<p>A potential TOCTOU (Time Of Check, Time Of Use) vulnerability exists.\n");
++ printf("This is the first line where a check has occured.</p>");
+ if (ptr->uses != (toctou_use_t *)NULL && ptr->uses[0].lineno != 0)
+ {
+- printf("\n The following line(s) contain uses that may match up with this check:\n");
++ printf("<p>The following line(s) contain uses that may match up with this check:\n");
+ for (i = 0; ptr->uses[i].lineno != 0; i++)
+ printf(" %s%d (%s)", (i == 0 ? "" : ", "), ptr->uses[i].lineno, ptr->uses[i].name);
+- printf("\n");
++ printf("</p>\n");
+ }
+ else
+ {
+- printf(" No matching uses were detected.\n");
++ printf("<p>No matching uses were detected.</p>\n");
+ }
+- printf(" <br/>\n");
+ break;
+
+ case RaceConditionUse:
+- printf(" Issue: fixed size local buffer<br/>\n");
+- printf(" A potential race condition vulnerability exists here. Normally a call\n");
+- printf(" to this function is vulnerable only when a match check precedes it. No\n");
+- printf(" check was detected, however one could still exist that could not be\n");
+- printf(" detected.\n");
+- printf(" <br/>\n");
++ printf("<p>Issue: fixed size local buffer</p>\n");
++ printf("<p>A potential race condition vulnerability exists here. Normally a call\n");
++ printf("to this function is vulnerable only when a match check precedes it. No\n");
++ printf("check was detected, however one could still exist that could not be\n");
++ printf("detected.</p>\n");
+ break;
+
+ case StaticLocalBuffer:
+- printf(" Issue: fixed size global buffer<br/>\n");
+- printf(" Extra care should be taken to ensure that character arrays that are\n");
+- printf(" allocated on the stack are used safely. They are prime targets for\n");
+- printf(" buffer overflow attacks.\n");
+- printf(" <br/>\n");
++ printf("<p>Issue: fixed size global buffer</p>\n");
++ printf("<p>Extra care should be taken to ensure that character arrays that are\n");
++ printf("allocated on the stack are used safely. They are prime targets for\n");
++ printf("buffer overflow attacks.</p>\n");
+ break;
+
+ case StaticGlobalBuffer:
+- printf(" Issue: %s<br/>\n",
++ printf("<p>Issue: %s</p>\n",
+ ptr->data->Name);
+- printf(" Extra care should be taken to ensure that character arrays that are\n");
++ printf("<p>Severity: <b>%s</b></p>\n",
++ severities[ptr->severity]);
++ printf("<p>Extra care should be taken to ensure that character arrays that are\n");
+ printf(" allocated with a static size are used safely. This appears to be a\n");
+ printf(" global allocation and is less dangerous than a similar one on the stack.\n");
+ printf(" Extra caution is still advised, however.\n");
+@@ -1064,17 +1076,21 @@ static void build_html_vulnerability(vulnerability_t *ptr) {
+ break;
+
+ case Reference:
+- printf(" Issue: %s<br/>\n",
++ printf("<p>Issue: %s</p>\n",
+ ptr->data->Name);
+- printf(" A function call is not being made here, but a reference is being made to\n");
++ printf("<p>Severity: <b>%s</b></p>\n",
++ severities[ptr->severity]);
++ printf("<p>A function call is not being made here, but a reference is being made to\n");
+ printf(" a name that is normally a vulnerable function. It could be being\n");
+ printf(" assigned as a pointer to function.\n\n");
+- printf(" <br/>\n");
++ printf(" </p>\n");
+ break;
+
+ case PythonBacktick:
+- printf(" Issue: backtick<br/>\n");
+- printf(" Do not use a variable that has been derived from untrusted sources\n");
++ printf("<p>Issue: backtick</p>\n");
++ printf("<p>Severity: <b>%s</b></p>\n",
++ severities[ptr->severity]);
++ printf("<p>Do not use a variable that has been derived from untrusted sources\n");
+ printf(" within a backtick. Doing so could allow an attacker to execute\n");
+ printf(" arbitrary python code.\n");
+ printf(" <br/>\n");
+@@ -1083,18 +1099,21 @@ static void build_html_vulnerability(vulnerability_t *ptr) {
+ case PhpBacktick:
+ case PerlBacktick:
+ case RubyBacktick:
+- printf(" Issue: backtick<br/>\n");
+- printf(" The backtick will act just like an call to exec(), so care should be\n");
++ printf("<p>Issue: backtick</p>\n");
++ printf("<p>Severity: <b>%s</b></p>\n",
++ severities[ptr->severity]);
++ printf("<p>The backtick will act just like an call to exec(), so care should be\n");
+ printf(" exercised that the string being backtick evaluated does not come from an\n");
+ printf(" untrusted source.\n");
+- printf(" <br/>\n");
++ printf(" </p>\n");
+ break;
+
+ case None:
+- printf(" Issue: %s<br/>\n",
++ printf("<p>Issue: %s</p>\n",
+ ptr->data->Name);
+- printf(" Unknown!?!?\n\n");
+- printf(" <br/>\n");
++ printf("<p>Severity: <b>%s</b></p>\n",
++ severities[ptr->severity]);
++ printf("<p> Unknown!?!?</p>\n\n");
+ break;
+ }
+ }
+@@ -1104,7 +1123,7 @@ void generate_html() {
+ vulnerability_t * ptr;
+
+ /* Initial necessary cruft */
+- printf("<h2>RATS results.\n</h2><br>\n");
++ printf("<h2>RATS results.\n</h2>\n");
+
+ /* Loop iterates through all of the problems found */
+ for (ptr = list_head; ptr != (vulnerability_t *)NULL; ptr = ptr->next) {
+@@ -1133,7 +1152,7 @@ void generate_html() {
+ printf("<ul>\n");
+ if (!(flags & SHOW_CONTEXT))
+ {
+- printf("File: <b>%s</b><br/>Lines: \n",
++ printf("<li>File: <b>%s</b><br/>Lines: \n",
+ ptr->filename);
+ }
+ }
+@@ -1151,11 +1170,12 @@ void generate_html() {
+ printf("File: <b>%s</b> Line:<b>%d", ptr->filename, ptr->lineno);
+ if (flags & SHOW_COLUMNS)
+ printf("[%d]", ptr->column);
+- printf("</b><br>\n");
++ printf("</b>\n");
+ ctx = getctx(ptr->filename, ptr->lineno);
+ if(ctx)
+ {
+- printf("%s<br>\n", ctx);
++ ctx = xml_escape(ctx);
++ printf("%s\n", ctx);
+ free(ctx);
+ }
+ }
+@@ -1167,7 +1187,7 @@ void generate_html() {
+ if(ptr->next==(vulnerability_t *)NULL||
+ strcmp(ptr->filename,ptr->next->filename)|| ptr->type == RaceConditionCheck ||
+ ptr->next->type != ptr->type || ptr->next->data != ptr->data) {
+- printf(" </ul>\n");
++ printf("</li>\n </ul>\n");
+ }
+
+ /* If the next vuln is different reset the vuln_reported variable to 0 so
+@@ -1182,12 +1202,7 @@ void generate_html() {
+
+ printf("<h3>Inputs detected at the following points</h3>\n");
+
+- printf("<ul>\n");
+ html_report_inputs();
+- printf("</ul>\n");
+-
+- printf("<br><br>\n");
+-
+
+ if (!(flags & NO_FOOTER))
+ {
+@@ -1208,9 +1223,9 @@ void generate_html() {
+ #endif
+
+
+- printf("Total lines analyzed: <b>%d</b><br>\n", total_lines);
+- printf("Total time <b>%f</b> seconds<br>\n", fsecs);
+- printf("<b>%d</b> lines per second<br>\n", (int)(total_lines/fsecs));
++ printf("<p>Total lines analyzed: <b>%d</b></p>\n", total_lines);
++ printf("<p>Total time <b>%f</b> seconds</p>\n", fsecs);
++ printf("<p><b>%d</b> lines per second</p>\n", (int)(total_lines/fsecs));
+ }
+
+ printf("</body></html>\n");
+--
+2.0.0
diff --git a/rats-2.1-gtk-vuln.patch b/rats-2.4-gtk-vuln.patch
similarity index 81%
rename from rats-2.1-gtk-vuln.patch
rename to rats-2.4-gtk-vuln.patch
index e8b7d26..64154ab 100644
--- a/rats-2.1-gtk-vuln.patch
+++ b/rats-2.4-gtk-vuln.patch
@@ -1,6 +1,6 @@
-=== modified file 'rats-c.xml'
---- rats-c.xml 2007-10-09 18:57:42 +0000
-+++ rats-c.xml 2007-10-09 19:11:54 +0000
+diff -Naur rats-2.4-orig/rats-c.xml rats-2.4/rats-c.xml
+--- rats-2.4-orig/rats-c.xml 2013-12-27 07:31:41.628500112 +0100
++++ rats-2.4/rats-c.xml 2013-12-27 07:33:23.521908145 +0100
@@ -2830,5 +2830,22 @@
<Severity>High</Severity>
</Info>
@@ -24,4 +24,3 @@
+
</VulnDB>
-
diff --git a/rats-2.4-hash.patch b/rats-2.4-hash.patch
new file mode 100644
index 0000000..bd40ed0
--- /dev/null
+++ b/rats-2.4-hash.patch
@@ -0,0 +1,40 @@
+diff -Naur rats-2.4-orig/hash.c rats-2.4/hash.c
+--- rats-2.4-orig/hash.c 2013-12-27 05:57:21.220367458 +0100
++++ rats-2.4/hash.c 2013-12-27 06:15:58.479535501 +0100
+@@ -79,13 +79,13 @@
+ }
+
+
+-char **
++const char **
+ HashKeys(Hash myhash)
+ {
+ hscan_t hs;
+ hnode_t *hn;
+ long nents = 0;
+- char **ret = NULL;
++ const char **ret = NULL;
+ int i = 0;
+
+ nents = HashCount(myhash);
+@@ -93,7 +93,7 @@
+ hash_scan_begin(&hs, myhash);
+ while ((hn = hash_scan_next(&hs)))
+ {
+- char *tmp = hnode_getkey(hn);
++ const char *tmp = hnode_getkey(hn);
+ ret[i++] = tmp;
+ }
+ ret[i] = NULL;
+diff -Naur rats-2.4-orig/hash.h rats-2.4/hash.h
+--- rats-2.4-orig/hash.h 2013-12-27 05:57:21.220367458 +0100
++++ rats-2.4/hash.h 2013-12-27 06:14:59.260058484 +0100
+@@ -32,7 +32,7 @@
+ void *HashGet(Hash,char *);
+ int HashDelete(Hash,char *);
+ long HashCount(Hash);
+-char **HashKeys(Hash);
++const char **HashKeys(Hash);
+ void HashFreeKeys(Hash, char **);
+
+ #endif
diff --git a/rats.spec b/rats.spec
index 6ea7e50..2b882ab 100644
--- a/rats.spec
+++ b/rats.spec
@@ -1,30 +1,27 @@
Name: rats
-Version: 2.1
-Release: 13%{?dist}
+Version: 2.3
+Release: 1%{?dist}
Summary: Rough Auditing Tool for Security
-
-Group: Development/Tools
License: GPLv2
-URL: http://www.fortifysoftware.com/security-resources/rats.jsp
-Source0: http://www.fortifysoftware.com/servlet/downloads/public/rats-%{version}.tar.gz
-BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+URL: https://code.google.com/p/rough-auditing-tool-for-security/
+Source0: https://rough-auditing-tool-for-security.googlecode.com/files/rats-%{version}.tgz
Patch1: rats-2.1-build-clean.patch
Patch2: rats-2.1-php.patch
Patch3: rats-2.1-report.patch
Patch4: rats-2.1-lex.patch
Patch5: rats-2.1-gtk-vuln.patch
-BuildRequires: expat-devel, flex
-Requires: expat
+BuildRequires: expat-devel
+BuildRequires: flex
%description
-RATS scans through code, finding potentially dangerous function calls.
-The goal of this tool is not to definitively find bugs (yet). The
-current goal is to provide a reasonable starting point for performing
-manual security audits.
+RATS(Rough Auditing Tool for Security) scans through code, finding potentially
+dangerous function calls. The goal of this tool is not to definitively find
+bugs (yet). The current goal is to provide a reasonable starting point for
+performing manual security audits.
-The initial vulnerability database is taken directly from things that
-could be easily found when starting with the forthcoming book,
-"Building Secure Software" by Viega and McGraw.
+The initial vulnerability database is taken directly from things that could be
+easily found when starting with the forthcoming book, "Building Secure
+Software" by Viega and McGraw.
%prep
%setup -q
@@ -40,19 +37,14 @@ make %{?_smp_mflags} lex
make %{?_smp_mflags}
%install
-rm -rf $RPM_BUILD_ROOT
#make install doesn't accept DESTDIR or other ways of not installing to PREFIX.
# So, we do the install ourselves due to so few files to install.
-mkdir -p $RPM_BUILD_ROOT/{%{_datadir}/rats,%{_bindir},%{_mandir}/man1}
-install -c rats $RPM_BUILD_ROOT/%{_bindir}
-install -c -m644 *.xml $RPM_BUILD_ROOT/%{_datadir}/rats
-install -c -m644 *.1 $RPM_BUILD_ROOT/%{_mandir}/man1
-
-%clean
-rm -rf $RPM_BUILD_ROOT
+mkdir -p %{buildroot}{%{_datadir}/rats,%{_bindir},%{_mandir}/man1}
+install -c rats %{buildroot}%{_bindir}
+install -c -m644 *.xml %{buildroot}%{_datadir}/rats
+install -c -m644 *.1 %{buildroot}%{_mandir}/man1
%files
-%defattr(644,root,root,755)
%dir %{_datadir}/rats
%doc README README.win32
%attr(755,root,root) %{_bindir}/*
diff --git a/sources b/sources
index 6d777b3..adfba2c 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-adf31806f1eff0c353abcfd57653ecb3 rats-2.1.tar.gz
+86afc955a26811d0d631e69113a75368 rats-2.4.tgz
More information about the scm-commits
mailing list