Bug#654794: Please enabled hardened build flags

Thu, 05 Jan 2012 12:57:18 -0800 

Source: courier
Severity: important
Tags: patch

Please enabled hardened build flags through dpkg-buildflags.

Patch attached. The hardened build flags showed several cases
of missing format strings, for which additional patches have
been attached.

Cheers,
        Moritz

diff -aur courier-0.66.3.orig/debian/rules courier-0.66.3/debian/rules
--- courier-0.66.3.orig/debian/rules	2012-01-05 20:13:33.000000000 +0100
+++ courier-0.66.3/debian/rules	2012-01-05 20:41:27.000000000 +0100
@@ -72,7 +72,7 @@
 	chmod +x debian/srcmgr
 	if [ ! -f srcmgr.list ]; then debian/srcmgr > srcmgr.list; fi
 	if [ ! -f stamp-build ]; then \
-		LINGUAS="de sv" ./configure $(COMMON_CONFOPTS) \
+		LINGUAS="de sv" ./configure $(shell dpkg-buildflags --export=configure) $(COMMON_CONFOPTS) \
 		--with-postgresql-includes=/usr/include/postgresql \
 		&& $(MAKE) LIBTOOL=/usr/bin/libtool && touch stamp-build; \
 	fi
Nur in courier-0.66.3/debian: rules~.

diff -aur courier-0.66.3.orig/maildrop/maildrop.C courier-0.66.3/maildrop/maildrop.C
--- courier-0.66.3.orig/maildrop/maildrop.C	2011-04-04 15:03:46.000000000 +0200
+++ courier-0.66.3/maildrop/maildrop.C	2012-01-05 21:15:47.000000000 +0100
@@ -80,7 +80,7 @@
 	{
 		merr << argv[0] << ": " << p << "\n";
 #if SYSLOG_LOGGING
-		syslog(LOG_INFO, p);
+		syslog(LOG_INFO, "%s", p);
 #endif
 		cleanup();
 		return (EX_TEMPFAIL);
@@ -90,7 +90,7 @@
 	{
 		merr << argv[0] << ": " << p << "\n";
 #if SYSLOG_LOGGING
-		syslog(LOG_INFO, p);
+		syslog(LOG_INFO, "%s", p);
 #endif
 		cleanup();
 		return (EX_TEMPFAIL);
Nur in courier-0.66.3/maildrop: maildrop.C~.

diff -aur courier-0.66.3.orig/webmail/pcp.c courier-0.66.3/webmail/pcp.c
--- courier-0.66.3.orig/webmail/pcp.c	2011-04-04 15:03:52.000000000 +0200
+++ courier-0.66.3/webmail/pcp.c	2012-01-05 21:25:07.000000000 +0100
@@ -1518,7 +1518,7 @@
 			printf("</span></td><td width=\"30\">&nbsp;</td><td width=\"100%%\"><span class=\"tt\">");
 			if (p->address && strcmp(p->address, "@"))
 			{
-				printf(getarg("CONFLICTERR2"));
+				printf("%s", getarg("CONFLICTERR2"));
 				print_safe(p->address);
 			}
 			else
Nur in courier-0.66.3/webmail: pcp.c~.

diff -aur courier-0.66.3.orig/webmail/sqwebmail.c courier-0.66.3/webmail/sqwebmail.c
--- courier-0.66.3.orig/webmail/sqwebmail.c	2011-04-04 15:03:52.000000000 +0200
+++ courier-0.66.3/webmail/sqwebmail.c	2012-01-05 21:38:48.000000000 +0100
@@ -1097,7 +1097,7 @@
 				c=strchr(c, '.');
 				if (c)
 				{
-					printf(sep);
+					printf("%s", sep);
 					print_safe(c+1);
 				}
 			}
Nur in courier-0.66.3/webmail: sqwebmail.c~.

Reply via email to