Bug#661539: libfile-mmagic-xs-perl: FTBFS with hardening flags enabled: -Werror=format-security
Moritz Mühlenhoff
jmm at inutil.org
Tue Mar 6 22:00:18 UTC 2012
On Mon, Mar 05, 2012 at 10:33:58PM +0200, Niko Tyni wrote:
> tag 661539 patch
> thanks
>
> On Mon, Feb 27, 2012 at 09:38:48PM +0000, Dominic Hargreaves wrote:
> > Source: libfile-mmagic-xs-perl
> > Severity: normal
> > Version: 0.09006-3
> > User: debian-qa at lists.debian.org
> > Usertags: hardening-format-security hardening
> >
> > With hardening flags enabled, this package FTBFS:
> >
> > src/perl-mmagic-xs.c: In function 'fmm_parse_magic_line':
> > src/perl-mmagic-xs.c:930:9: error: format not a string literal and no format arguments [-Werror=format-security]
>
> This can be triggered with
>
> $ perl -MFile::MMagic::XS -e 'File::MMagic::XS->new->add_magic("%s%s%s%s")'
> Segmentation fault (core dumped)
>
> I can't see obvious security implications. A system that processes
> untrusted magic(5) lines doesn't seem very likely. Cc'ing the security
> team anyway in case they can think of something.
I agree, we don't need to fix this in stable.
Cheers,
Moritz
More information about the pkg-perl-maintainers
mailing list