On Wednesday, March 01, 2017 19:42:29 Pádraig Brady wrote:
> We plan to release coreutils-8.27 in about a week, so any testing
> you can do on various different systems between now and then
> would be most welcome.
>
> --------------------------------------
>
> You can download the coreutils snapshot in xz format (5.2 MB) from:
> https://pixelbeat.org/cu/coreutils-ss.tar.xz
>
> And verify with gpg or md5sum with:
> https://pixelbeat.org/cu/coreutils-ss.tar.xz.sig
> MD5 (coreutils-ss.tar.xz) = 11633dc2137c50cb7a63e4c19edae7e9
>
> --------------------------------------
I am able to build it for Fedora (the upstream test-suite runs during
the build). Also tried a differential static analysis scan and no
new defects were found. Moreover, 3 defects were detected as fixed
in the snapshot (attached).
Looks good!
Kamil
Fixed defects
List of Defects
Error: COMPILER_WARNING: [1][#def1]
coreutils-8.26/src/expand-common.c:233:21: warning: 'num_start' may be used unin
itialized in this function [-Wmaybe-uninitialized]
# char *bad_num = xstrndup (num_start, len);
# ^~~~~~~
# 231| {
# 232| size_t len = strspn (num_start, "0123456789");
# 233|-> char *bad_num = xstrndup (num_start, len);
# 234| error (0, 0, _("tab stop is too large %s"), quote (bad_n
um));
# 235| free (bad_num);
Error: TOCTOU (CWE-367): [2][#def2]
coreutils-8.26/src/ln.c:241: fs_check_call: Calling function "stat" to perform c
heck on "source".
coreutils-8.26/src/ln.c:304: toctou: Calling function "symlink"
that uses "source" after a check function. This can cause a
time-of-check, time-of-use race condition.
# 302| source = rel_source = convert_abs_rel (source, dest);
# 303|
# 304|-> ok = ((symbolic_link ? symlink (source, dest)
# 305| : linkat (AT_FDCWD, source, AT_FDCWD, dest,
# 306| logical ? AT_SYMLINK_FOLLOW : 0))
Error: TOCTOU (CWE-367): [3][#def3]
coreutils-8.26/src/ln.c:216: fs_check_call: Calling function "lstat" to perform
check on "dest".
coreutils-8.26/src/ln.c:330: toctou: Calling function "unlink" that uses "dest"
after a check function. This can cause a time-of-check, time-of-use race conditi
on.
# 328| if (!ok && errno == EEXIST && (remove_existing_files || dest_backup)
)
# 329| {
# 330|-> if (unlink (dest) != 0)
# 331| {
# 332| error (0, errno, _("cannot remove %s"), quoteaf (dest));
Scan Properties
analyzer-version-clang 3.9.0
analyzer-version-coverity 8.7.1
analyzer-version-cppcheck 1.77
analyzer-version-gcc 7.0.1
analyzer-version-pylint 1.6.5
analyzer-version-shellcheck 0.4.5
cov-compilation-unit-count 520
cov-compilation-unit-ratio 99
cov-lines-processed 181482
cov-time-elapsed-analysis 00:01:44
diffbase-analyzer-version-clang 3.9.0
diffbase-analyzer-version-coverity 8.7.1
diffbase-analyzer-version-cppcheck 1.77
diffbase-analyzer-version-gcc 7.0.1
diffbase-analyzer-version-pylint 1.6.5
diffbase-analyzer-version-shellcheck 0.4.5
diffbase-cov-compilation-unit-count 527
diffbase-cov-compilation-unit-ratio 99
diffbase-cov-lines-processed 182239
diffbase-cov-time-elapsed-analysis 00:01:46
diffbase-exit-code 0
diffbase-host cov02.lab.eng.brq.redhat.com
diffbase-mock-config fedora-rawhide-x86_64
diffbase-store-results-to
/tmp/tmp0CutRC/coreutils-8.26-9999.fc27.tar.xz
diffbase-time-created 2017-03-02 13:58:17
diffbase-time-finished 2017-03-02 14:11:57
diffbase-tool csmock
diffbase-tool-args '/usr/bin/csmock' '-t' '' '-o'
'/tmp/tmp0CutRC/coreutils-8.26-9999.fc27.tar.xz' '-r'
'fedora-rawhide-x86_64' '--all-tools' '--cov-analyze-opts=--security
--concurrency' '--cov-use-version' 'cov-sa-8.7' '--cov-fs-capture'
'/tmp/tmp0CutRC/coreutils-8.26-9999.fc27.src.rpm'
diffbase-tool-version csmock-2.0.1.20160927.180228.g00ed03d-1.el6
exit-code 0
host cov02.lab.eng.brq.redhat.com
mock-config fedora-rawhide-x86_64
store-results-to /tmp/tmpKmRu2B/coreutils-8.26-7.fc26.tar.xz
time-created 2017-03-02 13:44:08
time-finished 2017-03-02 13:57:32
title Fixed defects
tool csmock
tool-args '/usr/bin/csmock' '-t' '' '-o'
'/tmp/tmpKmRu2B/coreutils-8.26-7.fc26.tar.xz' '-r'
'fedora-rawhide-x86_64' '--all-tools' '--cov-analyze-opts=--security
--concurrency' '--cov-use-version' 'cov-sa-8.7' '--cov-fs-capture'
'/tmp/tmpKmRu2B/coreutils-8.26-7.fc26.src.rpm'
tool-version csmock-2.0.1.20160927.180228.g00ed03d-1.el6
References
1. file://localhost/tmp/tmpsJYvDF.html#def1
2. file://localhost/tmp/tmpsJYvDF.html#def2
3. file://localhost/tmp/tmpsJYvDF.html#def3
