Bug#661546: libterm-slang-perl: FTBFS with hardening flags enabled: -Werror=format-security

[Niko Tyni]

On Mon, Feb 27, 2012 at 09:43:10PM +0000, Dominic Hargreaves wrote:
> Source: libterm-slang-perl
> Severity: normal
> Version: 0.07-11

[Joey: do you think we should still keep this package alive? See below.]

> User: debian-qa at lists.debian.org
> Usertags: hardening-format-security hardening
> 
> With hardening flags enabled, this package FTBFS:
> 
> Slang.c: In function 'XS_Term__Slang_SLsmg_printf':
> Slang.c:301:2: error: format not a string literal and no format arguments [-Werror=format-security]

This is wrapping the SLsmg_printf() vararg function in the
S-lang library.

The current implementation of the Perl binding of SLsmg_printf() only uses
the first argument, and is therefore equivalent to SLsmg_write_string()
except that it breaks with format strings.

A program that calls SLsmg_printf() with untrusted data would be vulnerable.
In practice that seems improbable, so I don't think this needs fixing in
stable. Cc'ing the security team in case they disagree.

No reverse dependencies in unstable, and the satutils package is the only
one in stable. I've glanced through that and there are no occurrences
of SLsmg_printf.

The discussion in
 http://grokbase.com/t/perl/xs/01aqz9zwrv/variable-length-parameter-lists-from-perl-c
suggests an XS wrapper like this can't be done for an arbitrary number of
arguments, assuming I understand this correctly.

I think the best we can do is to implement SLsmg_printf() with
SLsmg_write_string() and document the limitation.

However, I wonder if we shouldn't rather remove this package from the
archive.  The last upstream release was twelve years ago, the last Debian
upload was five years ago. There are no reverse dependencies left and the
popcon count has been steadily declining for seven years.

I'm cc'ing Joey Hess, the previous maintainer. Joey, do you think we should
still keep this package?
-- 
Niko Tyni   ntyni at debian.org