[Debian-med-packaging] Trying to disable error=format-security for clapack
Gianfranco Costamagna
locutusofborg at debian.org
Mon May 16 09:14:30 UTC 2016
Hi,
>/build/clapack-3.2.1/F2CLIBS/libf2c/arithchk.c:125:2: error: format not a string literal and no format arguments [-Werror=format-security]
> Cray1 = printf(emptyfmt) < 0 ? 0 : 4617762;
> ^
>cc1: some warnings being treated as errors
I would consider this an RC bug.
security wise the printf can be used to inject shell code in the program, so I would avoid having such buggyness in the archive
[1] https://en.wikipedia.org/wiki/Uncontrolled_format_string
char *emptyfmt = ""; /* avoid possible warning message with printf("") */
printf(emptyfmt);
should be replaced with
char *emptyfmt = ""; /* avoid possible warning message with printf("") */
printf("%s",emptyfmt);
I'm not sure why you don't want to cherry such a simple and safe fix.
G.
More information about the Debian-med-packaging
mailing list