[Debian-med-packaging] Applied patch in Debian packaging, please review (Was: [samtools/samtools] Replace Curses `mvprintw()` with `va_list`-based equivalent (#1509))

Andreas Tille tille at debian.org
Wed Oct 6 12:47:58 BST 2021 

Hi John,

I've took over you patch to the Debian packaging[1].  I consider it OK
to wait with an upload until something else in this package needs to be
changed but feel free to correct me and ask for an immediate upload.

Thanks a lot for your contribution

     Andreas.

[1] https://salsa.debian.org/med-team/samtools-legacy/-/blob/master/debian/patches/gcc-11.patch

Am Sat, Oct 02, 2021 at 02:59:41PM -0700 schrieb John Marshall:
> As observed by @tillea in [this samtools-0.1.19 patch](https://salsa.debian.org/med-team/samtools-legacy/-/commit/f2e1cdea0ea41f50e6de1f231eb8091a36602cde), the curses code uses potentially user-supplied data as a printf-style format:
> 
> ```
> $ make CFLAGS='-DGCC_PRINTF -Wall -Wformat-security' bam_tview_curses.o
> clang -DGCC_PRINTF -Wall -Wformat-security -I. -I../htslib -I./lz4  -c -o bam_tview_curses.o bam_tview_curses.c
> bam_tview_curses.c:88:18: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
>     mvprintw(y,x,str);
> 
> ```
> 
> (At present, _bam_tview.c_ only uses this to print numbers, so fortunately presumably it will never actually contain a `%` character.)
> 
> Rather than adding `"%s"` as appropriate, we can use another curses function that takes a `va_list` directly to avoid allocating a buffer and `sprintf`-ing into it here. Build tested on ~~Solaris~~OpenIndiana (which disappointingly uses a form of ncurses rather than some other vendor curses) and OpenBSD as well as the usual platforms.
> You can view, comment on, or merge this pull request online at:
> 
>   https://github.com/samtools/samtools/pull/1509
> 
> -- Commit Summary --
> 
>   * <a href="https://github.com/samtools/samtools/pull/1509/commits/396ef20eb0854d6b223c3223b60bb7efe42301f7">Replace Curses mvprintw() with va_list-based equivalent</a>
> 
> -- File Changes --
> 
>     M bam_tview_curses.c (8)
> 
> -- Patch Links --
> 
> https://github.com/samtools/samtools/pull/1509.patch
> https://github.com/samtools/samtools/pull/1509.diff
> 
> -- 
> You are receiving this because you were mentioned.
> Reply to this email directly or view it on GitHub:
> https://github.com/samtools/samtools/pull/1509

-- 
http://fam-tille.de

More information about the Debian-med-packaging mailing list