Bug#661539: libfile-mmagic-xs-perl: FTBFS with hardening flags enabled: -Werror=format-security

Moritz Mühlenhoff jmm at inutil.org
Tue Mar 6 22:00:18 UTC 2012


On Mon, Mar 05, 2012 at 10:33:58PM +0200, Niko Tyni wrote:
> tag 661539 patch
> thanks
> 
> On Mon, Feb 27, 2012 at 09:38:48PM +0000, Dominic Hargreaves wrote:
> > Source: libfile-mmagic-xs-perl
> > Severity: normal
> > Version: 0.09006-3
> > User: debian-qa at lists.debian.org
> > Usertags: hardening-format-security hardening
> > 
> > With hardening flags enabled, this package FTBFS:
> > 
> > src/perl-mmagic-xs.c: In function 'fmm_parse_magic_line':
> > src/perl-mmagic-xs.c:930:9: error: format not a string literal and no format arguments [-Werror=format-security]
> 
> This can be triggered with
> 
>     $ perl -MFile::MMagic::XS -e 'File::MMagic::XS->new->add_magic("%s%s%s%s")'
>     Segmentation fault (core dumped)
> 
> I can't see obvious security implications. A system that processes
> untrusted magic(5) lines doesn't seem very likely. Cc'ing the security
> team anyway in case they can think of something.

I agree, we don't need to fix this in stable.

Cheers,
        Moritz





More information about the pkg-perl-maintainers mailing list