[Debian-med-packaging] Bug#661547: libtfbs-perl: FTBFS with hardening flags enabled: -Werror=format-security
Niko Tyni
ntyni at debian.org
Fri Mar 9 19:44:49 UTC 2012
On Mon, Feb 27, 2012 at 09:44:04PM +0000, Dominic Hargreaves wrote:
> Source: libtfbs-perl
> Severity: normal
> Version: 0.5.svn.20100421-1
> User: debian-qa at lists.debian.org
> Usertags: hardening-format-security hardening
>
> With hardening flags enabled, this package FTBFS:
>
> ./lib/pwm_searchPFF.c: In function 'announce':
> ./lib/pwm_searchPFF.c:124:4: error: format not a string literal and no format arguments [-Werror=format-security]
All calls of this function are conditional on the __DEBUG__ preprocessor
constant, which is defined to 0 in Ext/lib/pwm_search.h. Additionally,
all the calls except one are with one fixed argument. However, it looks
like the call in get_sequence() would probably be vulnerable if __DEBUG__
were enabled.
The compiled shared object usr/lib/perl5/auto/TFBS/Ext/pwmsearch/pwmsearch.so
exports the 'announce' symbol, so it might be used by other software in
a vulnerable way. However, the only reverse dependency, med-bio-dev from
the debian-med source package, does not reference it anywhere AFAICS.
So there doesn't seem to be any real security impact, at least on
unstable. I did glance through the stable versions too and the situation
seems identical.
In any case, the fix is trivial, just change
fprintf(stderr,msg);
to
fprintf(stderr,"%s",msg);
Cheers,
--
Niko Tyni ntyni at debian.org
More information about the Debian-med-packaging
mailing list