From owner-freebsd-security@FreeBSD.ORG  Thu Apr 24 06:43:58 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 925C04ED;
 Thu, 24 Apr 2014 06:43:58 +0000 (UTC)
Received: from csmtp14.one.com (csmtp14.one.com [195.47.247.114])
 (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 4F64F1D41;
 Thu, 24 Apr 2014 06:43:57 +0000 (UTC)
Received: from [172.20.10.3] (94.191.184.93.mobile.3.dk [94.191.184.93])
 by csmtp14.one.com (Postfix) with ESMTPA id 15628400000EE;
 Thu, 24 Apr 2014 06:34:01 +0000 (UTC)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
Subject: Re: OpenSSL static analysis, was: De Raadt + FBSD + OpenSSH + hole?
From: Erik Cederstrand <erik+lists@cederstrand.dk>
In-Reply-To: <20140424000744.GE15884@in-addr.com>
Date: Thu, 24 Apr 2014 08:33:58 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <9330A007-63D2-4930-AB33-4EEE64AEF670@cederstrand.dk>
References: <10999.1398215531@server1.tristatelogic.com>
 <50CA7E78-BB5E-4872-A272-B7374627EC12@cederstrand.dk>
 <B4A7F879-588B-4414-B416-601066C4E61A@mac.com>
 <546CE3A8-FC87-472F-8A63-0497D0D28789@cederstrand.dk>
 <F66D539F-0607-4653-9A90-56482671898B@mac.com>
 <20140424000744.GE15884@in-addr.com>
To: Gary Palmer <gpalmer@freebsd.org>
X-Mailer: Apple Mail (2.1874)
Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Apr 2014 06:43:58 -0000

Den 24/04/2014 kl. 02.07 skrev Gary Palmer <gpalmer@freebsd.org>:
>=20
> I also think we're getting off topic.  Any concrete steps people are
> willing to take to make FreeBSD more secure?

Well, the static analysis reports aren't totally useless, but we need =
some way of marking them as false positive or wontfix, so the effort =
isn't duplicated. Out of the 10.000 reports, a conservative guess is =
that at least 100 of them are real security issues. And they are public, =
so Mallory can just pick one now and write an exploit. A year ago, I did =
a raid on reports about not checking the return value of setuid() and =
friends, which did uncover real issues.

Erik=