Bug#661539: libfile-mmagic-xs-perl: FTBFS with hardening flags enabled: -Werror=format-security
Niko Tyni
ntyni at debian.org
Mon Mar 5 20:33:58 UTC 2012
tag 661539 patch
thanks
On Mon, Feb 27, 2012 at 09:38:48PM +0000, Dominic Hargreaves wrote:
> Source: libfile-mmagic-xs-perl
> Severity: normal
> Version: 0.09006-3
> User: debian-qa at lists.debian.org
> Usertags: hardening-format-security hardening
>
> With hardening flags enabled, this package FTBFS:
>
> src/perl-mmagic-xs.c: In function 'fmm_parse_magic_line':
> src/perl-mmagic-xs.c:930:9: error: format not a string literal and no format arguments [-Werror=format-security]
This can be triggered with
$ perl -MFile::MMagic::XS -e 'File::MMagic::XS->new->add_magic("%s%s%s%s")'
Segmentation fault (core dumped)
I can't see obvious security implications. A system that processes
untrusted magic(5) lines doesn't seem very likely. Cc'ing the security
team anyway in case they can think of something.
In any case, this should be fixed and forwarded upstream.
--
Niko Tyni ntyni at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Call-croak-with-a-controlled-format-string.patch
Type: text/x-diff
Size: 1020 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20120305/76f22fa2/attachment.patch>
More information about the pkg-perl-maintainers
mailing list