Bug#661548: libyaml-libyaml-perl: FTBFS with hardening flags enabled: -Werror=format-security

Salvatore Bonaccorso carnil at debian.org
Sat Mar 10 07:48:37 UTC 2012


Hi Niko

On Fri, Mar 09, 2012 at 08:09:54AM +0200, Niko Tyni wrote:
> severity 661548 grave
> tag 661548 security
> found 661548 0.33-1
> thanks
> 
> On Mon, Feb 27, 2012 at 09:44:42PM +0000, Dominic Hargreaves wrote:
> > Source: libyaml-libyaml-perl
> > Severity: normal
> > Version: 0.38-1
> > User: debian-qa at lists.debian.org
> > Usertags: hardening-format-security hardening
> > 
> > With hardening flags enabled, this package FTBFS:
> > 
> > perl_libyaml.c: In function 'Load':
> > perl_libyaml.c:191:5: error: format not a string literal and no format arguments [-Werror=format-security]
> > perl_libyaml.c: In function 'load_node':
> > perl_libyaml.c:274:9: error: format not a string literal and no format arguments [-Werror=format-security]
> > perl_libyaml.c: In function 'load_mapping':
> > perl_libyaml.c:318:9: error: format not a string literal and no format arguments [-Werror=format-security]
> > perl_libyaml.c: In function 'load_sequence':
> > perl_libyaml.c:351:9: error: format not a string literal and no format arguments [-Werror=format-security]
> 
> These format strings can be injected from user input,
> so raising the severity. A DSA will be issued for squeeze.
> 
> I've just notified upstream via the RT tickets below. Could somebody from
> the pkg-perl team please prepare updated packages (built with -sa for
> stable-security as this is new there)?  Trivial patches can be found in

Are you going to prepare the upload for it? In other case I have
prepared the branch in our git repository with the fix taken from
Upstream RT#46507 patch there.

A review would anyway be welcome.

Regards
Salvatore
-------------- next part --------------
A non-text attachment was scrubbed...
Name: debdiff_libyaml_libyaml-perl_0.33-2.diff
Type: text/x-diff
Size: 3862 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20120310/7004ec1e/attachment.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20120310/7004ec1e/attachment.pgp>


More information about the pkg-perl-maintainers mailing list