Bug#661382: libcrypt-openssl-dsa-perl: FTBFS with hardening flags enabled: -Werror=format-security
Dominic Hargreaves
dom at earth.li
Sun Feb 26 20:15:49 UTC 2012
Source: libcrypt-openssl-dsa-perl
Severity: normal
Version: 0.13-5
With hardening flags enabled, this package FTBFS:
DSA.xs:57:11: error: format not a string literal and no format arguments [-Werror=format-security]
DSA.c: In function 'XS_Crypt__OpenSSL__DSA_generate_key':
(this is the first error of this type seen: it's possible that there
could be others once this is fixed).
A likely fix is to change croak(var) to croak("%s", var)[1].
Note that I haven't verified whether an externally-controlled string is
used; if so, it would be appropriate to upgrade this bug RC severity
with the security tag[2].
This was found during testing of perl 5.14.2-8 in experimental; however,
since that version was prepared, it has been decided not to export
those build flags in Config_heay.pl. However, it is likely that at some
point, either in debhelper 9 or 10, the hardening flags will be enabled
for all perl modules.
Thanks,
Dominic.
[1] <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657853#92>
[2] <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657853#117>
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
More information about the pkg-perl-maintainers
mailing list