[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #17852 [Tor]: Tor Daemon hardening

Subject: [tor-bugs] #17852 [Tor]: Tor Daemon hardening
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Mon, 14 Dec 2015 14:23:11 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 14 Dec 2015 09:23:23 -0500
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#17852: Tor Daemon hardening
--------------------------+------------------------
     Reporter:  jsturgix  |      Owner:
         Type:  defect    |     Status:  new
     Priority:  Medium    |  Milestone:
    Component:  Tor       |    Version:  Tor: 0.2.7
     Severity:  Normal    |   Keywords:
Actual Points:            |  Parent ID:
       Points:            |    Sponsor:
--------------------------+------------------------
 I ran FlawFinder (http://www.dwheeler.com/flawfinder/), a C static source
 code analyzer, against the Tor source, maint-0.2.7 branch.  FlawFinder
 reported the following results:

 Hits = 2348
 Lines analyzed = 239214 in 8.25 seconds (30879 lines/second)
 Physical Source Lines of Code (SLOC) = 171455
 Hits@level = [0]   0 [1] 760 [2] 1550 [3]  14 [4]  14 [5]  10
 Hits@level+ = [0+] 2348 [1+] 2348 [2+] 1588 [3+]  38 [4+]  24 [5+]  10
 Hits/KSLOC@level+ = [0+] 13.6946 [1+] 13.6946 [2+] 9.26191 [3+] 0.221632
 [4+] 0.139978 [5+] 0.0583243
 Dot directories skipped = 11 (--followdotdir overrides)
 Minimum risk level = 1
 Not every hit is necessarily a security vulnerability.
 There may be other security vulnerabilities; review your code!


 I manually reviewed all hits level 3+.  Most were false positives, but I
 did make several suggestions that can be found in my Tor repository
 (branch maint-0.2.7-codereview).


 https://github.com/sturgix/tor/tree/maint-0.2.7-codereview

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17852>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Follow-Ups:
- Re: [tor-bugs] #17852 [Tor]: Tor Daemon hardening
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #17852 [Tor]: Tor Daemon hardening
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #17852 [Tor]: Tor Daemon hardening
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #17852 [Tor]: Tor Daemon hardening: Fix complaints from FlawFinder. (was: Tor Daemon hardening)
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #17821 [metrics-lib]: adapt metrics-lib to actual tordnsel format
Next by Author: Re: [tor-bugs] #17852 [Tor]: Tor Daemon hardening
Previous by thread: Re: [tor-bugs] #17851 [Website]: Use https links on https://www.torproject.org/docs/verifying-signatures.html.en
Next by thread: Re: [tor-bugs] #17852 [Tor]: Tor Daemon hardening
Index(es):
- Author
- Thread