Bug#661540: libapache2-mod-perl2: FTBFS with hardening flags enabled: -Werror=format-security
Niko Tyni
ntyni at debian.org
Mon Mar 12 14:26:30 UTC 2012
On Mon, Mar 12, 2012 at 02:58:05PM +0100, Torsten Förtsch wrote:
> On Friday, 09 March 2012 22:50:33 Niko Tyni wrote:
> > The two usage warnings use constant strings so
> > they seem safe,
>
> They are safe since the "usage" variable is constant and does not contain any
> %-sequences. I do not see the need to fix anything here. What do I miss?
The fact that gcc can't see this and so building with
-Werror=format-security fails. Consider that part of the patch as
silencing false positive warnings.
> > but I'm afraid I can't tell whether this is the case
> > for ERRSV in the mpxs_cleanup_run() phase.
>
> These occasions are fixed as of revision 1299669 as described in my previous
> mail.
Thanks!
Can you think of a scenario where an attacker could inject format
sequences to ERRSV? That would make earlier releases vulnerable.
--
Niko Tyni ntyni at debian.org
More information about the pkg-perl-maintainers
mailing list