Your message dated Sat, 22 Oct 2011 14:39:43 -0500
with message-id <[email protected]>
has caused the report #646260,
regarding ggobi: FTBFS with -Werror=format-security
to be marked as having been forwarded to the upstream software
author(s) [email protected]
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
646260: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=646260
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Hi Michael,
Just got this report:
On 22 October 2011 at 20:30, Julian Taylor wrote:
| Source: ggobi
| Version: 2.1.10-3
| Severity: normal
| User: [email protected]
| Usertags: hardening-format-security hardening
|
| the package ggobi fails to compile with the new hardened compiler flags
| dpkg-buildflag outputs [0].
| The problematic flag is: -Werror=format-security
| See the ubuntu buildlog:
|
https://launchpadlibrarian.net/83134069/buildlog_ubuntu-precise-i386.ggobi_2.1.10-3_FAILEDTOBUILD.txt.gz
| Snippet:
| libtool: compile: gcc -DHAVE_CONFIG_H -I. -pthread
| -I/usr/include/gtk-2.0 -I/usr/lib/x86_64-linux-gnu/gtk-2.0/include
| -I/usr/include/atk-1.0 -I/usr/include/gdk-pixbuf-2.0
| -I/usr/include/pango-1.0 -I/usr/include/pixman-1
| -I/usr/include/freetype2 -I/usr/include/libpng12 -I/usr/include/cairo
| -I/usr/include/gio-unix-2.0/ -I/usr/include/glib-2.0
| -I/usr/lib/glib-2.0/include -I/usr/include/libxml2 -D_FORTIFY_SOURCE=2
| -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat
| -Wformat-security -Werror=format-security -MT ggobi.lo -MD -MP -MF
| .deps/ggobi.Tpo -c ggobi.c -fPIC -DPIC -o .libs/ggobi.o
| ggobi.c: In function 'ValidateGGobiRef':
| ggobi.c:701:5: error: format not a string literal and no format
| arguments [-Werror=format-security]
| ggobi.c:704:5: error: format not a string literal and no format
| arguments [-Werror=format-security]
| ggobi.c: In function 'ValidateDatadRef':
| ggobi.c:721:5: error: format not a string literal and no format
| arguments [-Werror=format-security]
| ggobi.c:723:5: error: format not a string literal and no format
| arguments [-Werror=format-security]
| ggobi.c: In function 'ValidateDisplayRef':
| ggobi.c:742:5: error: format not a string literal and no format
| arguments [-Werror=format-security]
| ggobi.c:744:5: error: format not a string literal and no format
| arguments [-Werror=format-security]
| cc1: some warnings being treated as errors
|
| The buildflags are not exported in debian, but can be enabled e.g. by
| adding this to debian/rules:
|
| DPKG_EXPORT_BUILDFLAGS = 1
| include /usr/share/dpkg/buildflags.mk
|
| Please fix the issues and maybe also enable the hardened build in debian.
|
| [0] http://lists.debian.org/debian-devel-announce/2011/09/msg00001.html
The lines all just do
static gchar *error_msg = "Incorrect reference to ggobid.";
[...]
if (fatal) {
g_error (error_msg);
}
else
g_critical (error_msg);
and g_error() et all appear to be defined with (...) -- but a look at
http://developer.gnome.org/glib/2.28/glib-Message-Logging.html
suggests that maybe the form
if (fatal) {
g_error ("%s", error_msg);
}
else
g_critical ("%s", error_msg);
would pass--not sure.
Thoughts? Do you have a current Debian or Ubuntu system handy to test with
the -Werror=format-security flag?
Hardening is generally a good idea so I am supportive even if this seems to
almost be a bit of a stickler issue :)
Cheers, Dirk
|
|
| xapplication/pgp-signature [Click mouse-2 to save to a file]
--
"Outside of a dog, a book is a man's best friend. Inside of a dog, it is too
dark to read." -- Groucho Marx
--- End Message ---
