Bug#661540: libapache2-mod-perl2: FTBFS with hardening flags enabled: -Werror=format-security

Niko Tyni ntyni at debian.org
Fri Mar 9 20:50:33 UTC 2012


On Mon, Feb 27, 2012 at 09:39:53PM +0000, Dominic Hargreaves wrote:
> Source: libapache2-mod-perl2
> Severity: normal
> Version: 2.0.5-5
> User: debian-qa at lists.debian.org
> Usertags: hardening-format-security hardening
> 
> With hardening flags enabled, this package FTBFS:
> 
> In file included from Pool.xs:26:0:
> /build/dom-libapache2-mod-perl2_2.0.5-5-i386-x1v_OO/libapache2-mod-perl2-2.0.5/xs/APR/Pool/APR__Pool.h: In function 'mpxs_cleanup_run':
> /build/dom-libapache2-mod-perl2_2.0.5-5-i386-x1v_OO/libapache2-mod-perl2-2.0.5/xs/APR/Pool/APR__Pool.h:315:9: error: format not a string literal and no format arguments [-Werror=format-security]
> cc1: some warnings being treated as errors

There are three other places where a variable is used as a format
string to Perl_croak(). I'm attaching a trivial patch that fixes those.
This makes the build with -Werror=format-security succeed.

If the variable can be externally controlled by untrusted input, this
is a security problem.  The two usage warnings use constant strings so
they seem safe, but I'm afraid I can't tell whether this is the case
for ERRSV in the mpxs_cleanup_run() phase.

I'm cc'ing the modperl development list. Could somebody please look
into this? Also cc'ing the Debian security team as a heads up.

In any case, please consider the patch for 2.0.6.

Thanks for your work on mod_perl,
-- 
Niko Tyni   ntyni at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Use-controlled-format-strings-for-Perl_croak.patch
Type: text/x-diff
Size: 2183 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20120309/b28957d1/attachment.patch>


More information about the pkg-perl-maintainers mailing list