openSUSE-SU-2023:0413-1

See a problem?
Import Source
https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2023:0413-1.json
JSON Data
https://api.osv.dev/v1/vulns/openSUSE-SU-2023:0413-1
Related
Published
2023-12-24T11:01:00Z
Modified
2023-12-24T11:01:00Z
Summary
Security update for cppcheck
Details

This update for cppcheck fixes the following issues:

  • CVE-2023-39070: Fixed heap use-after-free in removeContradiction() (boo#1215233)

  • update to 2.12.1:

    • Support importing projects with project-name

  • update to 2.12.0:

    • uselessOverride finds overriding functions that either duplicate code from or delegate back to the base class implementation
    • knownPointerToBool finds pointer to bool conversions that are always true or false
    • truncLongCastAssignment and truncLongCastReturn check additional types, including float/double/long double
    • duplInheritedMember also reports duplicated member functions
    • constParameter/constVariable checks find more instances of pointers/references that can be const, e.g. when calling library functions
    • Write how many checkers was activated after a run
    • Added --checkers-report that can be used to generate a report in a file that shows what checkers was activated and disabled
    • The qmake build system has been deprecated and will be removed in a future version.
    • Command-line option '--template

  • update to 2.11:

    • pop_back on empty container is UB
    • Improve useStlAlgorithm check to handle many more conditions in the loop for anyof, allof and none_of algorithms
    • ValueFlow can evaluate the return value of functions even when conditionals are used
    • ValueFlow will now forward the container sizes being returned from a function
    • ValueFlow can infer possible values from possible symbolic values
    • Improve valueflow after pushing to container
    • The new option --check-level= has been added that controls how much checking is made by Cppcheck. The default checking level is 'normal'. If you feel that you can wait longer on results you can use --check-level=exhaustive.
    • It is no longer necessary to run '--check-config' to get detailed 'missingInclude' and 'missingIncludeSystem' messages. They will always be issued in the regular analysis if 'missingInclude' is enabled.
    • 'missingInclude' and 'missingIncludeSystem' are reported with '-j' is > 1 and processes are used in the backend (default in non-Windows binaries)
    • 'missingInclude' and 'missingIncludeSystem' will now cause the '--error-exitcode' to be applied
    • '--enable=information' will no longer implicitly enable 'missingInclude' starting with 2.16. Please enable it explicitly if you require it.
    • The constParameter and constVariable checks have been split into 3 different IDs based on if the variable is a pointer, a reference, or local. The different IDs will allow users to suppress different const warning based on variable type.
    • constParameter
    • constParameterReference
    • constParameterPointer
    • constVariable
    • constVariableReference
    • constVariablePointer
    • More command-line parameters will now check if the given integer argument is actually valid. Several other internal string-to-integer conversions will now be error checked.
    • scanning projects (with -j1) will now defer the analysis of markup files until the whole code was processed

  • update to 2.10.3:

    • SymbolDatabase: Fix handling of function pointer arguments

  • update to 2.10.2:

    • GUI: Set proper title for compliance report dialog
    • GUI: Generate compliance report

    • Tokenizer: tweaked simplification of function pointers

    • fix whole program analysis

    • Import Project: Fix problem with define value with space
    • Fix execution of executable addons from GUI
    • fix for windows installer, no other changes
    • Fixes when importing AST from clang
    • comments can be added at end of suppression in suppressions file is similar to GCC. If you want to get warnings in the old
    • Added Cppcheck annotations cppcheck_low(VALUE) and
    • Added API01-C: Avoid laying out strings in memory directly
    • Duplicate expression for condition and assignment: if (x==3) x=3;
    • Patch was submitted (https://github.com/danmar/cppcheck/pull/1554) and accepted so this change should be reverted and replaced with a CMake compile definition
      • Multifile checking for buffer overruns and uninitialized
      • A bunch of additions to several Libraries, especially

    • Additionally, lots of false positives and bugs have been fixed and several existing checks have been improved.

      • Library files have now a 'format' attribute. Format version
      • Cppcheck does no longer abort checking if unhandled
      • Detect shift by too many bits, signed integer overflow and
      • Dead pointer usage when pointer alias local variable that
      • Improved AST creation (support placement new, C++-style
      • Support GCC extension attriute((used)) and MSVC
      • Better support for static member variables, inherited
      • Improved typedef support where multiple variables are
      • Avoid checking code multiple times by calculating a checksum.
      • HTML report: display 'verbose' message using clickable

    • Additionally, lots of false positives and bugs have been fixed

      • Returning references to literals or references to calculation
      • Enhanced support for commutative operators in duplicate
      • Definition of minsize for buffer arguments in .cfg files
      • Fixed handling of #error: Do not report them if -f and -D
      • Generate xml dump of AST/ValueFlow/SymbolDatabase/TokenList
      • Cppcheck requires a C++11 compiler supporting the common subset of features supported by GCC 4.4, Visual Studio 2010
      • Much improved support of complex combinations of function
      • More robust error detection in several checks due to usage
      • Allocation/Deallocation functions can be extend across
      • Better handling of some C++11 language features like enum
      • Check for unhandled exceptions when exception specifiers

    • Additionally, a large number of false positives and crashs has been fixed.

      • New option to enable warnings but not style messages:
      • Cppcheck used to skip includes where the header filename is enclosed in <>. You can now include these headers also by using -I.
      • New POSIX checks: pipe() buffer size, redundant calls of set/get user id, too big value passed to usleep(), buffer
      • Storing getc() return value in char variable and comparing
      • Portability check that warns when using NULL as argument to variadic function. It has undefined behaviour on some
      • Improved checking for uninitialized struct members,
    • Added --include to the cppcheck command line client. This forces inclusion of the given file. This can for instance be used
    • The threads handling has been improved. Using -jN now works in
    • NULL pointers: Improved checking of default function argument values.

  • full change log http://raw.github.com/danmar/cppcheck/master/Changelog

References

Affected packages

SUSE:Package Hub 15 SP5 / cppcheck

Package

Name
cppcheck
Purl
pkg:rpm/suse/cppcheck&distro=SUSE%20Package%20Hub%2015%20SP5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.12.1-bp155.2.3.1

Ecosystem specific 

{
    "binaries": [
        {
            "cppcheck": "2.12.1-bp155.2.3.1",
            "cppcheck-gui": "2.12.1-bp155.2.3.1"
        }
    ]
}

openSUSE:Leap 15.5 / cppcheck

Package

Name
cppcheck
Purl
pkg:rpm/opensuse/cppcheck&distro=openSUSE%20Leap%2015.5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.12.1-bp155.2.3.1

Ecosystem specific 

{
    "binaries": [
        {
            "cppcheck": "2.12.1-bp155.2.3.1",
            "cppcheck-gui": "2.12.1-bp155.2.3.1"
        }
    ]
}