Static Code Analysis Exploits.

Hi,

We use Postgres in our product and we have a client that requires a 
static code analysis scan to detect vulnerabilities. They are concerned 
because the tool (Veracode) found several flaws in Postgres and they 
believe there might be a security risk. I'm sure there are lots of 
companies that use Postgres that have security policies like theirs in 
place, so I'm hoping someone has the experience to know that these are 
false positives or that they are not a security risk for some reason. 
Below is a description of the vulnerability and the location in the 
source code. Version 9.3.2.1 was scanned. Please let me know if there is 
a better place to ask this kind of question.

Thanks,
Patrick

------------------------------------

Stack-based Buffer Overflow (CWE ID 121)(13 flaws):
There is a potential buffer overflow with these functions. If an 
attacker can control the data written into the buffer, the overflow may 
result in execution of arbitrary code.

btree_gist.dll .../btree_gist/btree_utils_num.c 115
btree_gist.dll .../btree_gist/btree_utils_num.c 123
pgcrypto.dll .../contrib/pgcrypto/crypt-md5.c 103
libpq.dll .../interfaces/libpq/fe-connect.c 3185
libpq.dll .../interfaces/libpq/fe-connect.c 3220
clusterdb.exe .../interfaces/libpq/fe-connect.c 3243
libpq.dll .../libpq/fe-protocol3.c 1661
libecpg_compat.dll .../ecpg/compatlib/informix.c 978
pgcrypto.dll .../contrib/pgcrypto/mbuf.c 112
pgcrypto.dll .../contrib/pgcrypto/mbuf.c 290
pgcrypto.dll .../contrib/pgcrypto/mbuf.c 306
pgcrypto.dll .../contrib/pgcrypto/mbuf.c 330
libpq.dll .../interfaces/libpq/pqexpbuffer.c 369

Use of Inherently Dangerous Function (CWE ID 242)(1 flaw):
These functions are inherently unsafe because they does not perform 
bounds checking on the size of their input. An attacker can send overly 
long input and overflow the destination buffer, potentially resulting in 
execution of arbitrary code.
pg_isolation_regress.exe .../src/test/regress/pg_regress.c 2307

Integer Overflow or Wraparound (CWE ID 190)(1 flaw):
An integer overflow condition exists when an integer that has not been 
properly sanity checked is used in the determination of an offset or 
size for memory allocation, copying, concatenation, or similarly. If the 
integer in question is incremented past the maximum possible value, it 
may wrap to become a very small, negative number, therefore providing an 
unintended value. This occurs most commonly in arithmetic operations or 
loop iterations. Integer overflows can often result in buffer overflows 
or data corruption, both of which may be potentially exploited to 
execute arbitrary code.

dict_snowball.dll .../libstemmer/utilities.c 371

Process Control (CWE ID 114)(4 flaws)
A function call could result in a process control attack. An argument to 
a process control function is either derived from an untrusted source or 
is hard-coded, both of which may allow an attacker to execute malicious 
code under certain conditions. If an attacker is allowed to specify all 
or part of the filename, it may be possible to load arbitrary libraries. 
If the location is hard-coded and an attacker is able to place a 
malicious copy of the library higher in the search order than the file 
the application intends to load, then the application will load the 
malicious version.

psql.exe .../src/bin/psql/print.c 752
psql.exe .../src/bin/psql/print.c 791
psql.exe .../src/bin/psql/print.c 2209
psql.exe .../src/bin/psql/print.c 2500