From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS22989 209.51.188.0/24 X-Spam-Status: No, score=-4.0 required=3.0 tests=AWL,BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id 76F361F45F for ; Fri, 10 May 2019 11:35:24 +0000 (UTC) Received: from localhost ([127.0.0.1]:41618 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hP3oB-00060q-EV for normalperson@yhbt.net; Fri, 10 May 2019 07:35:23 -0400 Received: from eggs.gnu.org ([209.51.188.92]:39655) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hP3nn-0005om-O7 for bug-gnulib@gnu.org; Fri, 10 May 2019 07:35:00 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hP3nl-0003pW-Vf for bug-gnulib@gnu.org; Fri, 10 May 2019 07:34:59 -0400 Received: from mx1.redhat.com ([209.132.183.28]:53282) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1hP3nl-0003pB-Qe for bug-gnulib@gnu.org; Fri, 10 May 2019 07:34:57 -0400 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 1C3B4307D90D; Fri, 10 May 2019 11:34:57 +0000 (UTC) Received: from oldenburg2.str.redhat.com (dhcp-192-219.str.redhat.com [10.33.192.219]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 53B5145BE; Fri, 10 May 2019 11:34:56 +0000 (UTC) From: Florian Weimer To: Kamil Dudka Subject: Re: Coverity false positives triggered by gnulib's implementation of base64 References: <2475310.f135Qeco9B@kdudka-nb> <1324b17b-a3a8-e1fe-f781-f360343b89a1@cs.ucla.edu> <29387202.mYf3tFGfHq@kdudka-nb> Date: Fri, 10 May 2019 13:34:55 +0200 In-Reply-To: <29387202.mYf3tFGfHq@kdudka-nb> (Kamil Dudka's message of "Fri, 10 May 2019 13:32:00 +0200") Message-ID: <87mujupmow.fsf@oldenburg2.str.redhat.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.48]); Fri, 10 May 2019 11:34:57 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.132.183.28 X-BeenThere: bug-gnulib@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Gnulib discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Paul Eggert , bug-gnulib@gnu.org Errors-To: bug-gnulib-bounces+normalperson=yhbt.net@gnu.org Sender: "bug-gnulib" * Kamil Dudka: >> For example, how do you know that the reports are false positives and not >> true positives? > > I think it was obvious from my previous explanation: > > (1) You need to check (by manual review) that the source of data is really > untrusted. > > (2) You need to check (by manual review) that there is no sufficient check > on the data. > > (3) You need to check (by manual review) that the sink function is really > vulnerable to data from untrusted source. > > When doing step (3), I verified that Gnulib's base64_encode() can safely > process data from untrusted source. Then I wanted to record this information > into the source code so that other users of Gnulib do not need to verify this > each time they run Coverity on a project that bundles Gnulib's implementation > of base64_encode(). Does the annotation make the base64 functions trusted in the sense that they now turn untrusted data into trusted data? That would be undesirable in my opinion. Thanks, Florian