Bug#661541: liblocale-hebrew-perl: FTBFS with hardening flags enabled: -Werror=format-security

Niko Tyni ntyni at debian.org
Fri Mar 9 20:08:14 UTC 2012


On Mon, Feb 27, 2012 at 09:40:46PM +0000, Dominic Hargreaves wrote:
> Source: liblocale-hebrew-perl
> Severity: normal
> Version: 1.04-1
> User: debian-qa at lists.debian.org
> Usertags: hardening-format-security hardening
> 
> With hardening flags enabled, this package FTBFS:
> 
> bidi.c: In function 'ShowInputTypes':
> bidi.c:1237:5: error: format not a string literal and no format arguments [-Werror=format-security]
> bidi.c: In function 'ShowTypes':
> bidi.c:1248:5: error: format not a string literal and no format arguments [-Werror=format-security]
> bidi.c: In function 'ShowLevels':
> bidi.c:1259:5: error: format not a string literal and no format arguments [-Werror=format-security]
> cc1: some warnings being treated as errors

These functions are undocumented and not used by the module itself. They
are apparently inherited from a "Sample Implementation of the Unicode
Bidirectional Algorithm". While they are exported by the shared object
/usr/lib/perl5/auto/Locale/Hebrew/Hebrew.so, it doesn't seem likely
that anybody would use them. There are no reverse dependencies in Debian
to check.

Also, the functions don't seem to be actually vulnerable as
CharFromTypes[] is a fixed array that doesn't contain the percent sign,
and the format strings are made of from its elements. I don't claim
to actually understand the stuff, though.

Conclusion: no obvious security impact.
-- 
Niko Tyni   ntyni at debian.org





More information about the pkg-perl-maintainers mailing list