/zcash

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NCC-2016-008 - Potential uninitialized reads #1464

Closed
daira opened this Issue Sep 30, 2016 · 1 comment

Comments

Assignees

@bitcartel bitcartel

@daira daira

Labels
Projects
None yet
Milestone
  1.0.0-rc2
3 participants
@daira @nathan-at-least @bitcartel
@daira
Contributor

daira commented Sep 30, 2016
edited
Edited 1 time
  • @daira daira edited Oct 23, 2016 (most recent)

Various reads of uninitialized data (listed in the NCC report). Some and possibly all of them are false positives because the data does get initialized in actual usage of the relevant classes; just not in a way that Coverity can determine to be statically guaranteed. We're changing them so that Coverity can tell they are initialized.

@daira daira added SECURITY NCC finding labels Sep 30, 2016

@daira daira changed the title from NCC-2016-014 to NCC-2016-008 Sep 30, 2016

@daira daira added the needs prioritization label Sep 30, 2016

@nathan-at-least nathan-at-least removed the needs prioritization label Oct 3, 2016

@nathan-at-least nathan-at-least added this to the 1.0.0-rc1 milestone Oct 3, 2016

@nathan-at-least

This comment has been minimized.

Show comment
Hide comment
@nathan-at-least

nathan-at-least Oct 3, 2016

Contributor

Let's narrow the scope of this for only code we've altered from Bitcoin + the portions of libsnark we use, and exclude dependencies, and ensure we do that for rc1.
Contributor

nathan-at-least commented Oct 3, 2016

Let's narrow the scope of this for only code we've altered from Bitcoin + the portions of libsnark we use, and exclude dependencies, and ensure we do that for rc1.

@bitcartel bitcartel assigned daira Oct 6, 2016

@nathan-at-least nathan-at-least modified the milestones: 1.0.0-rc1, 1.0.0-rc2 Oct 17, 2016

@nathan-at-least nathan-at-least assigned bitcartel Oct 17, 2016

@bitcartel bitcartel referenced this issue Oct 20, 2016

Merged

Fixes for NCC-2016-008 #1581

@bitcartel bitcartel added the has PR label Oct 20, 2016

zkbot pushed a commit that referenced this issue Oct 21, 2016

zkbot
Auto merge of #1581 - bitcartel:1464_ncc_2016_008, r=str4d 
Fixes for NCC-2016-008

To close #1464 NCC-2016-088

- This PR
- zcash/libsnark#8

Of the 101 issues in NCC-2016-088, 62 are in dependencies, and many of the remainder are duplicates of the CIDs fixed in this PR.

Commit log message is: CID Type (Type is from scan.coverity Type column)
f05045a

zkbot pushed a commit that referenced this issue Oct 21, 2016

zkbot
Auto merge of #1581 - bitcartel:1464_ncc_2016_008, r=str4d 
Fixes for NCC-2016-008

To close #1464 NCC-2016-088

- This PR
- zcash/libsnark#8

Of the 101 issues in NCC-2016-088, 62 are in dependencies, and many of the remainder are duplicates of the CIDs fixed in this PR.

Commit log message is: CID Type (Type is from scan.coverity Type column)
cc11d01

zkbot pushed a commit that referenced this issue Oct 22, 2016

zkbot
Auto merge of #1581 - bitcartel:1464_ncc_2016_008, r=daira 
Fixes for NCC-2016-008

To close #1464 NCC-2016-088

- This PR
- zcash/libsnark#8

Of the 101 issues in NCC-2016-088, 62 are in dependencies, and many of the remainder are duplicates of the CIDs fixed in this PR.

Commit log message is: CID Type (Type is from scan.coverity Type column)
1f8ad0e

zkbot pushed a commit that referenced this issue Oct 22, 2016

zkbot
Auto merge of #1581 - bitcartel:1464_ncc_2016_008, r=str4d 
Fixes for NCC-2016-008

To close #1464 NCC-2016-088

- This PR
- zcash/libsnark#8

Of the 101 issues in NCC-2016-088, 62 are in dependencies, and many of the remainder are duplicates of the CIDs fixed in this PR.

Commit log message is: CID Type (Type is from scan.coverity Type column)
a12eaa2

@zkbot zkbot closed this in #1581 Oct 22, 2016

@daira daira reopened this Oct 23, 2016

@daira daira changed the title from NCC-2016-008 to NCC-2016-008 - Potential uninitialized reads Oct 23, 2016

@daira daira closed this Oct 23, 2016

@daira daira added this to Complete in Security and Stability Nov 11, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment