[avrdude-dev] AVRDUDE code audit

[Brian Dean]

Hey Guys,

As per the statement on savannah, I've checked out both the latest and
the 9/16 versions of the avrdude source and done a diff.  I haven't
seen anything that would lead me to believe that any code was
maliciously inserted into our project.  However, several of us made
changes over the last few months, some were our own changes and some
were patches submitted by others.  If you get a few moments, can you
please look over the areas that you changed recently (via the diff
between latest and 9/16) and double check for any changes that were
different from your original submission?

While I doubt that we've been targeted, better safe than sorry.  I
would specifically look for any cases where array index values might
have been subverted to cause buffer overflows, and other hard to catch
changes that might go unnoticed.

If, assuming the worst, avrdude was changed to allow system
compromise, I'm thinking that at least on Unix (not sure about
Windows), avrdude only every runs as the invoking user.  We've
specifically used /dev devices to access the parallel port instead of
running setuid root in order to gain I/O privilege and accessing the
parallel port registers directly.  Still ... I, as I'm sure you would
be to, would be pretty sad if avrdude was used in a malicious way.
Let's please do our best to ensure that none of our code was
compromised.

The total diff I have was 2527 lines plus three new files (avrpart.c &
butterfly.*), lots of which were doc and config file changes - not too
bad to look through.

Thanks!
-Brian