Bug#709530: marked as done (qalculate-gtk: Please enable disabled hardening flags)

[Debian Bug Tracking System]

Your message dated Fri, 24 May 2013 16:48:37 +0000
with message-id <e1ufvat-000160...@franck.debian.org>
and subject line Bug#709530: fixed in qalculate-gtk 0.9.7-5
has caused the Debian Bug report #709530,
regarding qalculate-gtk: Please enable disabled hardening flags
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
709530: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=709530
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: qalculate-gtk
Version: 0.9.7-4
Severity: normal
Tags: patch

Hello,

You've disabled most of the hardening in debian/patches, please
re-enable it.

The attached patch fixes the build with -Werror=format-security
(if possible it should be sent to upstream), therefore the
following hardening setting should work fine:

    export DEB_BUILD_MAINT_OPTIONS = hardening=+all

Regards
Simon
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

Description: Fix compiling with -Werror=format-security.
 Prevents format string attacks.
Author: Simon Ruderich <si...@ruderich.org>
Last-Update: 2013-05-23

--- qalculate-gtk-0.9.7.orig/src/callbacks.cc
+++ qalculate-gtk-0.9.7/src/callbacks.cc
@@ -388,12 +388,12 @@ void wrap_expression_selection() {
 }
 
 void show_message(const gchar *text, GtkWidget *win) {
-	GtkWidget *edialog = gtk_message_dialog_new(GTK_WINDOW(win), GTK_DIALOG_DESTROY_WITH_PARENT, GTK_MESSAGE_ERROR, GTK_BUTTONS_CLOSE, text);
+	GtkWidget *edialog = gtk_message_dialog_new(GTK_WINDOW(win), GTK_DIALOG_DESTROY_WITH_PARENT, GTK_MESSAGE_ERROR, GTK_BUTTONS_CLOSE, "%s", text);
 	gtk_dialog_run(GTK_DIALOG(edialog));
 	gtk_widget_destroy(edialog);
 }
 bool ask_question(const gchar *text, GtkWidget *win) {
-	GtkWidget *edialog = gtk_message_dialog_new(GTK_WINDOW(win), GTK_DIALOG_DESTROY_WITH_PARENT, GTK_MESSAGE_ERROR, GTK_BUTTONS_YES_NO, text);
+	GtkWidget *edialog = gtk_message_dialog_new(GTK_WINDOW(win), GTK_DIALOG_DESTROY_WITH_PARENT, GTK_MESSAGE_ERROR, GTK_BUTTONS_YES_NO, "%s", text);
 	int question_answer = gtk_dialog_run(GTK_DIALOG(edialog));
 	gtk_widget_destroy(edialog);
 	return question_answer == GTK_RESPONSE_YES;
@@ -654,7 +654,7 @@ void display_errors(GtkTextIter *iter =
 					GTK_DIALOG_DESTROY_WITH_PARENT,
 					GTK_MESSAGE_INFO,
 					GTK_BUTTONS_CLOSE,
-					CALCULATOR->message()->message().c_str());
+					"%s", CALCULATOR->message()->message().c_str());
 			gtk_dialog_run(GTK_DIALOG(edialog));
 			gtk_widget_destroy(edialog);
 		}
@@ -667,14 +667,14 @@ void display_errors(GtkTextIter *iter =
 					GTK_DIALOG_DESTROY_WITH_PARENT,
 					GTK_MESSAGE_ERROR,
 					GTK_BUTTONS_CLOSE,
-					str.c_str());
+					"%s", str.c_str());
 		} else {
 			edialog = gtk_message_dialog_new(
 					GTK_WINDOW(win),
 					GTK_DIALOG_DESTROY_WITH_PARENT,
 					GTK_MESSAGE_WARNING,
 					GTK_BUTTONS_CLOSE,
-					str.c_str());
+					"%s", str.c_str());
 		}
 
 		gtk_dialog_run(GTK_DIALOG(edialog));

signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

Source: qalculate-gtk
Source-Version: 0.9.7-5

We believe that the bug you reported is fixed in the latest version of
qalculate-gtk, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 709...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Vincent Legout <vleg...@debian.org> (supplier of updated qalculate-gtk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 24 May 2013 18:22:02 +0200
Source: qalculate-gtk
Binary: qalculate-gtk qalculate
Architecture: source amd64 all
Version: 0.9.7-5
Distribution: unstable
Urgency: low
Maintainer: Vincent Legout <vleg...@debian.org>
Changed-By: Vincent Legout <vleg...@debian.org>
Description: 
 qalculate  - Powerful and easy to use desktop calculator - transitional
 qalculate-gtk - Powerful and easy to use desktop calculator - GTK+ version
Closes: 709530
Changes: 
 qalculate-gtk (0.9.7-5) unstable; urgency=low
 .
   * Add wformat-security.patch, fix build with -Werror=format-security. Thanks
     to Simon Ruderich (Closes: #709530)
   * Enable all hardening flags
Checksums-Sha1: 
 7a307d00dcd29e44b5f540603488afa673d2213f 1980 qalculate-gtk_0.9.7-5.dsc
 33fe14284c1674fb73a001581a8392b5b25023d0 5736 
qalculate-gtk_0.9.7-5.debian.tar.gz
 b8731c846bfafcd616f1f87702dba8f00634ba67 1311310 
qalculate-gtk_0.9.7-5_amd64.deb
 6999a9ff2e44692863c763482cb50991e7d24fb4 26856 qalculate_0.9.7-5_all.deb
Checksums-Sha256: 
 13d3b14b6d6b9f96140f116d59dd53d2abf738754e7c2d5216a947d2c5cf054a 1980 
qalculate-gtk_0.9.7-5.dsc
 b478525ec9381f4e4fdf117edbf90945d4a75488eb1cf69d944a013a616918af 5736 
qalculate-gtk_0.9.7-5.debian.tar.gz
 8213d64af97cd0e1d2dd24812a70e2669773879d0c678fefcf7ae4ed520cf6eb 1311310 
qalculate-gtk_0.9.7-5_amd64.deb
 3f3b0619db74594e2ac8bf0e7b9d8429277a117c7c0174930745557b858c99ce 26856 
qalculate_0.9.7-5_all.deb
Files: 
 6d8cdb45123892c2a9b5671ab30a7855 1980 math optional qalculate-gtk_0.9.7-5.dsc
 aa17cd8e4629bfb16e8b8e93336e6e73 5736 math optional 
qalculate-gtk_0.9.7-5.debian.tar.gz
 2d4f71e5b9816bb72a6799d36962217d 1311310 math optional 
qalculate-gtk_0.9.7-5_amd64.deb
 77e14149e0ce59d1375924cba9a07960 26856 oldlibs extra qalculate_0.9.7-5_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJRn5egAAoJEGWYeJBYoj3pWHsP/35JEBuyvbxZTSGD7adz7DKd
6Esj/0qL0gktjVKIDGzu5KwVftsDBxEZSeW9HQBNgyGSPtQ7+qw4btz/JlXAd5EJ
XyQB10QYc+EB7yOOI+kYs8bR8ejNvpaATlpjoVrGypluA93DfX0V0cD2DsO6HSxK
xZc5NIbY/xHDLqvaEKBNDX0dNBI6tLtt/6qiOiJBD3gx7nGnNfjnh3xCKmijueWU
LX6Ya8dOmMleIM8fr/qoL16XYSJjJitvk+DAkXkQdmTXIhNeiBn7RVnZkcprR3jN
U6g7AdNq4hdUm0ys/C7tA9VD70T7eMoFepVEL1gvXZPBnMRqgQiLV6uHbaD3ohod
8R1DoDmIolFK9Mt3wwuFIsU47xPLqjhytWlkaGN5ka8p4K2E1CTgJWvJ64ms22UQ
DvjAIypqK0uEg6Be5oE7rpvhx1SHjxSJamWHqcK6XS+ajz3TRJ+viTN4pSCbHo0R
o/wJ4DuibFLXfucn3tNalwzqbeGFWhNokqHCC9VyDAJ/ND5emf8l1+o6jrsTcIQP
p0/37yW3aEp3uLsBho8EpVeW1f59ZTi95LdBDTKjVZ2Yo1kpODs5nN6rvsfGXoye
soP/UGBWgEdUWbitikw06iomrLOUhXq87oCR+KNN7pEDY91E++bebzKrp7p64Whm
3WeArZ/xy/zzefP7aNCC
=NBNp
-----END PGP SIGNATURE-----

--- End Message ---