[Debian-med-packaging] Bug#653001: njplot: FTBFS with -Werror=format-security

Ilya Barygin randomaction at ubuntu.com
Thu Dec 22 18:38:36 UTC 2011 

Package: njplot
Version: 2.3-3
Severity: serious
Tags: upstream patch
Justification: fails to build from source (but built successfully in the past)
User: debian-qa at lists.debian.org
Usertags: hardening-format-security

njplot fails to build with -Werror=format-security compiler option.

gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -Wall -c -I/usr/include/ncbi -DNO_PDF -DWIN_MOTIF -DHELPFILENAME=\"/usr/share/njplot/njplot.help\"  njplot-vib.c
njplot-vib.c: In function 'process_args':
njplot-vib.c:1979:3: error: format not a string literal and no format arguments [-Werror=format-security]
njplot-vib.c: In function 'dir_lineto':
njplot-vib.c:2455:7: warning: unused variable 'p' [-Wunused-variable]
njplot-vib.c: In function 'unrootedset':
njplot-vib.c:3184:1: warning: label 'problem' defined but not used [-Wunused-label]
njplot-vib.c: In function 'tty_plot':
njplot-vib.c:4297:8: warning: variable 'erreur' set but not used [-Wunused-but-set-variable]
njplot-vib.c: In function 'Nlm_GetFontData':
njplot-vib.c:4377:5: warning: statement with no effect [-Wunused-value]
cc1: some warnings being treated as errors

Build log in Ubuntu:
https://launchpadlibrarian.net/87346162/buildlog_ubuntu-precise-armhf.njplot_2.3-3_FAILEDTOBUILD.txt.gz

See also:
http://wiki.debian.org/Hardening
http://lists.debian.org/debian-devel-announce/2011/09/msg00001.html

Patch from Ubuntu attached.
https://launchpad.net/ubuntu/+source/njplot/2.3-3ubuntu1


-- System Information:
Debian Release: wheezy/sid
  APT prefers oneiric-updates
  APT policy: (500, 'oneiric-updates'), (500, 'oneiric-security'), (500, 'oneiric-proposed'), (500, 'oneiric'), (100, 'oneiric-backports')
Architecture: i386 (i686)

Kernel: Linux 3.0.0-15-generic (SMP w/2 CPU cores)
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-------------- next part --------------
Description: fix FTBFS with -Werror=format-security.
Author: Ilya Barygin <randomaction at ubuntu.com>

--- njplot-2.3.orig/njplot-vib.c
+++ njplot-2.3/njplot-vib.c
@@ -1976,7 +1976,7 @@ PDFONLY"       no window interface, just
 #else
 		fprintf(stderr,
 #endif
-		message);
+		"%s", message);
 		exit(0);
 		}
 	}

More information about the Debian-med-packaging mailing list