Hello, here are results of Coverity difference scan of subscription-manager between el5.8 and el5.9 (rebase subscription-manager-0.98.14-1 ~> subscription-manager-1.0.12-1). 1. bad use of sizeof => src/rhsmcertd.c:313 s|sizeof(config)|sizeof(*config)| 2. low prio use of uninitialized value 'use_stdout' => src/rhsmcertd.c:113 3. missing va_end() call => src/rhsmcertd.c:115 => src/rhsmcertd.c:258 These bugs are mentioned just as a warning and it depends on you whether they will be fixed. List of all defects is attached. Quality engineering: This issues were found by static analysis tool and we can't provide any reproducer for these. We will verify the fix once available. Please check these tests as SanityOnly (just check that patches for the issues and nothing unexpected is added by the commit). If you want to check the new package with Coverity yourself, feel free to use covscan tool (https://engineering.redhat.com/trac/CoverityScan/wiki/covscan). Pavel
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release.
fixed in master at 5c3af236d0ca8c76cf468ff56cb875c67c07f75b
List of fixed defects in subscription-manager-1.0.19-1.el5 $ csdiff -x subscription-manager-1.0.12-1.el5.err \ subscription-manager-1.0.19-1.el5.err Error: SIZEOF_MISMATCH (CWE-569): /builddir/build/BUILD/subscription-manager-1.0.12/src/rhsmcertd.c:313: suspicious_sizeof: Passing argument "8UL /* sizeof (config) */" to function "malloc" and then casting the return value to "Config *" is suspicious. Did you intend to use "sizeof(*config)" instead of "sizeof (config)" ? In this particular case sizeof(Config *) happens to be equal to sizeof(Config), but this is not a portable assumption. Error: UNINIT (CWE-457): /builddir/build/BUILD/subscription-manager-1.0.12/src/rhsmcertd.c:99: var_decl: Declaring variable "use_stdout" without initializer. /builddir/build/BUILD/subscription-manager-1.0.12/src/rhsmcertd.c:113: uninit_use: Using uninitialized value "use_stdout". Error: VARARGS (CWE-234): /builddir/build/BUILD/subscription-manager-1.0.12/src/rhsmcertd.c:107: va_init: Initializing va_list "argp". /builddir/build/BUILD/subscription-manager-1.0.12/src/rhsmcertd.c:116: missing_va_end: va_end was not called for "argp". Error: VARARGS (CWE-234): /builddir/build/BUILD/subscription-manager-1.0.12/src/rhsmcertd.c:256: va_init: Initializing va_list "argp". /builddir/build/BUILD/subscription-manager-1.0.12/src/rhsmcertd.c:259: missing_va_end: va_end was not called for "argp". Relevant build logs: http://releng-test1.englab.brq.redhat.com/covscan/task/893/ Thanks for fixing! This bug may be switched to VERIFIED. Pavel
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0033.html