tag 661398 patch thanks On Sun, Feb 26, 2012 at 10:35:45PM +0000, Dominic Hargreaves wrote: > Source: libdata-alias-perl > Severity: normal > Version: 1.16-1 > > With hardening flags enabled, this package FTBFS: > > Alias.xs: In function 'DataAlias_pp_rv2sv': > Alias.xs:783:4: error: format not a string literal and no format arguments > [-Werror=format-security] > cc1: some warnings being treated as errors
For some reason, I only see this on i386 and not amd64. Weird. This does not have any real security impact AFAICS. Patch attached. -- Niko Tyni [email protected]
>From d1c304e955e25c7a12a67cf3a1e6907a1d5a5171 Mon Sep 17 00:00:00 2001 From: Niko Tyni <[email protected]> Date: Sat, 3 Mar 2012 20:36:26 +0200 Subject: [PATCH] Explicitly DIE() with a controlled format string This fixes builds with 'gcc -Werror=format-security'. As PL_no_localize_ref is an 'extern const' variable from the Perl core, not an uncontrolled format string, the issue does not seem to have any actual security impact. --- Alias.xs | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/Alias.xs b/Alias.xs index f619da5..23a6ca8 100644 --- a/Alias.xs +++ b/Alias.xs @@ -780,7 +780,7 @@ STATIC OP *DataAlias_pp_rv2sv(pTHX) { sv = (SV *) (GvEGV(sv) ? GvEGV(sv) : fixglob(aTHX_ (GV *) sv)); if (PL_op->op_private & OPpLVAL_INTRO) { if (SvTYPE(sv) != SVt_PVGV || SvFAKE(sv)) - DIE(aTHX_ PL_no_localize_ref); + DIE(aTHX_ "%s", PL_no_localize_ref); switch (PL_op->op_type) { case OP_RV2AV: da_localize_gvar(aTHX_ GvGP(sv), (SV **) &GvAV(sv)); -- 1.7.9.1
