This is a patch for flawfinder 1.21 which adds some fuzzy format string hunting capabilities. The basic idea is to look for functions which contain format strings and record the format mask position - the first pass. Then at the second pass these functions are searched for ones in which the format position is the last and it is not a constant string. This patch caught few bugs (grep catches them also of course). Wrote it in a few hours without having a clue about Python, so don't flame me I can't code, I know it :) Options: --hunt=filename Store format functions in filename, first pass. --loadhunt=filename Load format functions from filename and examine their usage, second pass. --huntaggressive Looks also for functions whose definitions contain "..." or "va_list", even more false positives, not quite recommended. Usage: ./flawfinder6 --hunt=loghu ../ethereal-0.9.0 #^^^^(first pass, stores potential functions in file loghu) ./flawfinder6 --loadhunt=loghu ../ethereal-0.9.0 >logethe2 #^^^^(second pass, examine the usage of functions). Sometimes there are functions which does not contain format mask are reported. In this case, open loghu (or the name to which it is saved) and add "-" (minus sign) after the "I". For example, to exclude "return" edit loghu this way: ----- sS'return' p25 I-1 ----- Minus added between I and 1. Then in logethe2 after skipping a lot of false positives the following line shows an exploitable format string bug: ---- ../ethereal-0.9.0/packet-socks.c:914 [4] (generic format argument: format_text(data, linelen)) proto_tree_add_text: app_log_error. Generated. ---- Bugs: False positives and others. Availability: flawfinder 1.21 is at http://www.dwheeler.com/flawfinder/flawfinder-1.21.tar.gz or at http://packetstormsecurity.nl/UNIX/security/ The patch is at: http://www.guninski.com/flaw-patch.1 md5sum f5d91465ed91a44eceaf7faea9519a99 flaw-patch.1 This readme is at: http://www.guninski.com/flaw.README.georgi.txt Misc: If it was compatible with the GPL, I would have forbidden access to this patch to microsoft and governments. Georgi Guninski