Source: alsaplayer
Severity: important
Tags: patch
Please enabled hardened build flags through dpkg-buildflags.
Patch attached. (dpkg-buildflags abides "noopt" from DEB_BUILD_OPTIONS)
The hardened build flags exposed missing format strings, for
which I have attached two patches as well.
Cheers,
Moritz
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.1.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -aur alsaplayer-0.99.80.orig/debian/rules alsaplayer-0.99.80/debian/rules
--- alsaplayer-0.99.80.orig/debian/rules 2012-01-03 22:17:25.000000000 +0100
+++ alsaplayer-0.99.80/debian/rules 2012-01-03 22:18:28.000000000 +0100
@@ -13,7 +13,10 @@
DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
-CFLAGS = -Wall -g
+CFLAGS = `dpkg-buildflags --get CFLAGS`
+CFLAGS += -Wall
+LDFLAGS = `dpkg-buildflags --get LDFLAGS`
+CPPFLAGS = `dpkg-buildflags --get CPPFLAGS`
ifneq ($(DEB_HOST_GNU_TYPE),$(DEB_BUILD_GNU_TYPE))
CROSS= --build $(DEB_BUILD_GNU_TYPE) --host $(DEB_HOST_GNU_TYPE)
@@ -21,16 +24,10 @@
CROSS= --build $(DEB_BUILD_GNU_TYPE)
endif
-ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
- CFLAGS += -O0
-else
- CFLAGS += -O2
-endif
-
configure-stamp: patch
dh_testdir
cd m4 && rm -f audiofile.m4 esd.m4 gtk.m4 libmikmod.m4 libtool.m4 ogg.m4 vorbis.m4
- CFLAGS="$(CFLAGS)" ./configure \
+ CFLAGS="$(CFLAGS)" CPPFLAGS="$(CPPFLAGS)" LDFLAGS="$(LDFLAGS)" ./configure \
$(CROSS) \
--prefix=/usr \
--mandir=\$${prefix}/share/man \
Nur in alsaplayer-0.99.80/debian: rules~.
diff -aur alsaplayer-0.99.80.orig/interface/gtk2/gtk_interface.cpp alsaplayer-0.99.80/interface/gtk2/gtk_interface.cpp
--- alsaplayer-0.99.80.orig/interface/gtk2/gtk_interface.cpp 2007-10-29 20:49:48.000000000 +0100
+++ alsaplayer-0.99.80/interface/gtk2/gtk_interface.cpp 2012-01-03 22:32:26.000000000 +0100
@@ -248,7 +248,7 @@
md = gtk_message_dialog_new(GTK_WINDOW(parent), GTK_DIALOG_DESTROY_WITH_PARENT, GTK_MESSAGE_ERROR, GTK_BUTTONS_CLOSE, _("Error !"));
- gtk_message_dialog_format_secondary_text(GTK_MESSAGE_DIALOG(md), message);
+ gtk_message_dialog_format_secondary_text(GTK_MESSAGE_DIALOG(md), "%s", message);
g_signal_connect(G_OBJECT(md), "delete-event", G_CALLBACK(ap_message_delete), NULL);
g_signal_connect(G_OBJECT(md), "response", G_CALLBACK(ap_message_delete), NULL);
@@ -262,7 +262,7 @@
md = gtk_message_dialog_new(GTK_WINDOW(parent), GTK_DIALOG_DESTROY_WITH_PARENT, GTK_MESSAGE_WARNING, GTK_BUTTONS_CLOSE, _("Warning !"));
- gtk_message_dialog_format_secondary_text(GTK_MESSAGE_DIALOG(md), message);
+ gtk_message_dialog_format_secondary_text(GTK_MESSAGE_DIALOG(md), "%s", message);
g_signal_connect(G_OBJECT(md), "delete-event", G_CALLBACK(ap_message_delete), NULL);
g_signal_connect(G_OBJECT(md), "response", G_CALLBACK(ap_message_delete), NULL);
@@ -276,7 +276,7 @@
md = gtk_message_dialog_new(GTK_WINDOW(parent), (GtkDialogFlags) (GTK_DIALOG_MODAL|GTK_DIALOG_DESTROY_WITH_PARENT), GTK_MESSAGE_QUESTION, GTK_BUTTONS_YES_NO, _("Excuse me !"));
- gtk_message_dialog_format_secondary_text(GTK_MESSAGE_DIALOG(md), message);
+ gtk_message_dialog_format_secondary_text(GTK_MESSAGE_DIALOG(md), "%s", message);
g_signal_connect(G_OBJECT(md), "delete-event", G_CALLBACK(ap_message_delete), NULL);
Nur in alsaplayer-0.99.80/interface/gtk2: gtk_interface.cpp~.
diff -aur alsaplayer-0.99.80.orig/libalsaplayer/message.c alsaplayer-0.99.80/libalsaplayer/message.c
--- alsaplayer-0.99.80.orig/libalsaplayer/message.c 2007-07-08 18:07:05.000000000 +0200
+++ alsaplayer-0.99.80/libalsaplayer/message.c 2012-01-03 22:37:12.000000000 +0100
@@ -381,7 +381,7 @@
pwd = getpwuid(geteuid());
- sprintf(username, pwd == NULL ? "anonymous" : pwd->pw_name);
+ sprintf(username, "%s", pwd == NULL ? "anonymous" : pwd->pw_name);
sprintf(test_path, "alsaplayer_%s_", username);
Nur in alsaplayer-0.99.80/libalsaplayer/: message.c~.
