使用 Flawfinder 工具对 PostgreSQL 17 源代码进行安全弱点分析的报告。报告详细列出了在 PostgreSQL 17 源代码中发现的潜在4级安全问题,这些问题主要集中在:
格式字符串问题
多个文件中使用了
snprintf和vsnprintf:如果格式字符串可以被攻击者影响,它们可能会被利用。报告建议使用常量作为格式规范,以避免 CWE-134(不安全的格式字符串)问题。例如:/opt/postgresql-17.0/contrib/basic_archive/basic_archive.c:208/opt/postgresql-17.0/contrib/dblink/dblink.c:2767/opt/postgresql-17.0/contrib/isn/isn.c:429
缓冲区溢出问题
多个文件中使用了
strcat和sprintf:这些函数在连接或格式化字符串时不会检查缓冲区溢出,存在 CWE-120(缓冲区溢出)风险。报告建议使用更安全的函数,如strcat_s、strncat、strlcat或snprintf。例如:/opt/postgresql-17.0/contrib/fuzzystrmatch/dmetaphone.c:389/opt/postgresql-17.0/contrib/intarray/_int_bool.c:628/opt/postgresql-17.0/contrib/ltree/ltxtquery_io.c:557
加密算法问题
pgcrypto模块中使用了 DES 加密算法:DES 只支持 56 位密钥大小,这在现代计算机上已经不安全(CWE-327)。报告建议使用更安全的加密算法,如 3DES 或 AES。例如:/opt/postgresql-17.0/contrib/pgcrypto/openssl.c:669/opt/postgresql-17.0/contrib/pgcrypto/openssl.c:675
哈希算法问题
px-crypt.c中使用了crypt函数:crypt函数使用的是一个较差的单向哈希算法,只接受 8 个字符或更少的密码,并且只有两字节的盐,这使得它在现代计算设备上容易受到字典攻击(CWE-327)。报告建议使用更安全的算法,如 SHA-256,并使用更大的、不重复的盐。例如:/opt/postgresql-17.0/contrib/pgcrypto/px-crypt.c:46/opt/postgresql-17.0/contrib/pgcrypto/px-crypt.c:74
竞态条件问题
sepgsql/hooks.c中使用了access函数:这通常表示一个安全漏洞。如果攻击者可以在access调用和文件实际使用之间改变路径上的任何内容(例如,通过移动文件),攻击者可以利用这个竞态条件(CWE-362/CWE-367)。报告建议设置正确的权限(例如,使用setuid())并直接打开文件。例如:/opt/postgresql-17.0/contrib/sepgsql/hooks.c:86/opt/postgresql-17.0/contrib/sepgsql/hooks.c:93
分析总结
总命中数:41
分析的行数:100608 行,大约 1.81 秒(55648 行/秒)
物理源代码行数(SLOC):66458
按风险级别分类的命中数:
级别 0:122
级别 1:117
级别 2:353
级别 3:2
级别 4:41
级别 5:0
以下是报告详表,供开发者参考。
Flawfinder version 2.0.19, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 222
FINAL RESULTS:
/opt/postgresql-17.0/contrib/basic_archive/basic_archive.c:208: [4] (format) snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
/opt/postgresql-17.0/contrib/dblink/dblink.c:2767: [4] (format) vsnprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
/opt/postgresql-17.0/contrib/fuzzystrmatch/dmetaphone.c:389: [4] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused).
/opt/postgresql-17.0/contrib/intarray/_int_bool.c:628: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
/opt/postgresql-17.0/contrib/isn/isn.c:429: [4] (format) snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
/opt/postgresql-17.0/contrib/isn/isn.c:666: [4] (format) snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
/opt/postgresql-17.0/contrib/ltree/ltxtquery_io.c:557: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
/opt/postgresql-17.0/contrib/oid2name/oid2name.c:524: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
/opt/postgresql-17.0/contrib/oid2name/oid2name.c:531: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
/opt/postgresql-17.0/contrib/oid2name/oid2name.c:539: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
/opt/postgresql-17.0/contrib/pg_stat_statements/pg_stat_statements.c:1922: [4] (format) snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
/opt/postgresql-17.0/contrib/pgcrypto/crypt-md5.c:108: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
/opt/postgresql-17.0/contrib/pgcrypto/openssl.c:669: [4] (crypto) EVP_des_ecb:
DES only supports a 56-bit keysize, which is too small given today's
computers (CWE-327). Use a different patent-free encryption algorithm with
a larger keysize, such as 3DES or AES.
/opt/postgresql-17.0/contrib/pgcrypto/openssl.c:675: [4] (crypto) EVP_des_cbc:
DES only supports a 56-bit keysize, which is too small given today's
computers (CWE-327). Use a different patent-free encryption algorithm with
a larger keysize, such as 3DES or AES.
/opt/postgresql-17.0/contrib/pgcrypto/px-crypt.c:46: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
/opt/postgresql-17.0/contrib/pgcrypto/px-crypt.c:74: [4] (crypto) crypt:
The crypt functions use a poor one-way hashing algorithm; since they only
accept passwords of 8 characters or fewer and only a two-byte salt, they
are excessively vulnerable to dictionary attacks given today's faster
computing equipment (CWE-327). Use a different algorithm, such as SHA-256,
with a larger, non-repeating salt.
/opt/postgresql-17.0/contrib/pgcrypto/px-crypt.c:105: [4] (crypto) crypt:
The crypt functions use a poor one-way hashing algorithm; since they only
accept passwords of 8 characters or fewer and only a two-byte salt, they
are excessively vulnerable to dictionary attacks given today's faster
computing equipment (CWE-327). Use a different algorithm, such as SHA-256,
with a larger, non-repeating salt.
/opt/postgresql-17.0/contrib/pgcrypto/px.c:158: [4] (format) vsnprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
/opt/postgresql-17.0/contrib/pgrowlocks/pgrowlocks.c:187: [4] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused).
/opt/postgresql-17.0/contrib/pgrowlocks/pgrowlocks.c:209: [4] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused).
/opt/postgresql-17.0/contrib/pgrowlocks/pgrowlocks.c:212: [4] (buffer) strcat:
Does not check for buffer overflows when concatenating to destination
[MS-banned] (CWE-120). Consider using strcat_s, strncat, strlcat, or
snprintf (warning: strncat is easily misused).
/opt/postgresql-17.0/contrib/pgstattuple/pgstattuple.c:136: [4] (format) snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
/opt/postgresql-17.0/contrib/pgstattuple/pgstattuple.c:137: [4] (format) snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
/opt/postgresql-17.0/contrib/pgstattuple/pgstattuple.c:138: [4] (format) snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
/opt/postgresql-17.0/contrib/pgstattuple/pgstattuple.c:140: [4] (format) snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
/opt/postgresql-17.0/contrib/pgstattuple/pgstattuple.c:141: [4] (format) snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
/opt/postgresql-17.0/contrib/pgstattuple/pgstattuple.c:143: [4] (format) snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
/opt/postgresql-17.0/contrib/postgres_fdw/connection.c:102: [4] (format) snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
/opt/postgresql-17.0/contrib/postgres_fdw/connection.c:105: [4] (format) snprintf:
If format strings can be influenced by an attacker, they can be exploited,
and note that sprintf variations do not always \0-terminate (CWE-134). Use
a constant for the format specification.
/opt/postgresql-17.0/contrib/seg/seg.c:1011: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
/opt/postgresql-17.0/contrib/seg/seg.c:1014: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
/opt/postgresql-17.0/contrib/seg/seg.c:1026: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
/opt/postgresql-17.0/contrib/seg/seg.c:1029: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
/opt/postgresql-17.0/contrib/seg/seg.c:1040: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
/opt/postgresql-17.0/contrib/seg/seg.c:1043: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
/opt/postgresql-17.0/contrib/sepgsql/hooks.c:86: [4] (race) access:
This usually indicates a security flaw. If an attacker can change anything
along the path between the call to access() and the file's actual use
(e.g., by moving files), the attacker can exploit the race condition
(CWE-362/CWE-367!). Set up the correct permissions (e.g., using setuid())
and try to open the file directly.
/opt/postgresql-17.0/contrib/sepgsql/hooks.c:93: [4] (race) access:
This usually indicates a security flaw. If an attacker can change anything
along the path between the call to access() and the file's actual use
(e.g., by moving files), the attacker can exploit the race condition
(CWE-362/CWE-367!). Set up the correct permissions (e.g., using setuid())
and try to open the file directly.
/opt/postgresql-17.0/contrib/sepgsql/hooks.c:95: [4] (race) access:
This usually indicates a security flaw. If an attacker can change anything
along the path between the call to access() and the file's actual use
(e.g., by moving files), the attacker can exploit the race condition
(CWE-362/CWE-367!). Set up the correct permissions (e.g., using setuid())
and try to open the file directly.
/opt/postgresql-17.0/contrib/sepgsql/hooks.c:279: [4] (race) access:
This usually indicates a security flaw. If an attacker can change anything
along the path between the call to access() and the file's actual use
(e.g., by moving files), the attacker can exploit the race condition
(CWE-362/CWE-367!). Set up the correct permissions (e.g., using setuid())
and try to open the file directly.
/opt/postgresql-17.0/contrib/uuid-ossp/uuid-ossp.c:273: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
/opt/postgresql-17.0/contrib/uuid-ossp/uuid-ossp.c:306: [4] (buffer) strcpy:
Does not check for buffer overflows when copying to destination [MS-banned]
(CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy
easily misused).
ANALYSIS SUMMARY:
Hits = 41
Lines analyzed = 100608 in approximately 1.81 seconds (55648 lines/second)
Physical Source Lines of Code (SLOC) = 66458
Hits@level = [0] 122 [1] 117 [2] 353 [3] 2 [4] 41 [5] 0
Hits@level+ = [0+] 635 [1+] 513 [2+] 396 [3+] 43 [4+] 41 [5+] 0
Hits/KSLOC@level+ = [0+] 9.55491 [1+] 7.71916 [2+] 5.95865 [3+] 0.647025 [4+] 0.616931 [5+] 0
Minimum risk level = 4
Not every hit is necessarily a security vulnerability.
You can inhibit a report by adding a comment in this form:
// flawfinder: ignore
Make *sure* it's a false positive!
You can use the option --neverignore to show these.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.
Steven.tong 2024.11
