Your message dated Sun, 04 Sep 2016 22:17:10 +0000 with message-id <[email protected]> and subject line Bug#835542: fixed in flex 2.5.39-8+deb8u2 has caused the Debian Bug report #835542, regarding flex: comparison between signed and unsigned integer expressions to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 835542: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=835542 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: flex Version: 2.5.39-8+deb8u1 Severity: normal After this update, I get the following warning when compiling the flex generated code with gcc, which I didn't get before: scan.cpp: In function âint yy_get_next_buffer(yyscan_t)â: scan.cpp:758:18: error: comparison between signed and unsigned integer expressions [-Werror=sign-compare] scan.cpp:1384:3: note: in expansion of macro âYY_INPUTâ Looking at the code: #define YY_INPUT(buf,result,max_size) \ if ( YY_CURRENT_BUFFER_LVALUE->yy_is_interactive ) \ { \ int c = '*'; \ size_t n; \ for ( n = 0; n < max_size && \ Invoked as: int num_to_read = ... YY_INPUT( (&YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[number_to_move]), yyg->yy_n_chars, num_to_read ); So indeed an unsigned value (n) is compared with a signed one (num_to_read). If this is correct, the warning can be silenced with a cast of the appropriate one of them. flex hasn't exactly been known for generating warning-free code, but what really worries me is that this is a security update. Fixing a security problem by introducing a sign-problem seems fishy to me. -- System Information: Debian Release: 8.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages flex depends on: ii debconf [debconf-2.0] 1.5.56 ii dpkg 1.17.27 ii install-info 5.2.0.dfsg.1-6 ii libc6 2.19-18+deb8u5 ii libfl-dev 2.5.39-8+deb8u1 ii m4 1.4.17-4 Versions of packages flex recommends: ii clang-3.5 [c-compiler] 1:3.5-10 ii gcc [c-compiler] 4:4.9.2-2 ii gcc-4.8 [c-compiler] 4.8.4-1 ii gcc-4.9 [c-compiler] 4.9.2-10 Versions of packages flex suggests: ii bison 2:3.0.2.dfsg-2 ii build-essential 11.7 -- no debconf information
--- End Message ---
--- Begin Message ---Source: flex Source-Version: 2.5.39-8+deb8u2 We believe that the bug you reported is fixed in the latest version of flex, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <[email protected]> (supplier of updated flex package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 04 Sep 2016 07:04:46 +0200 Source: flex Binary: flex flex-doc libfl-dev Architecture: all source Version: 2.5.39-8+deb8u2 Distribution: jessie-security Urgency: high Maintainer: Manoj Srivastava <[email protected]> Changed-By: Salvatore Bonaccorso <[email protected]> Closes: 835542 Description: flex - fast lexical analyzer generator flex-doc - Documentation for flex (a fast lexical analyzer generator) libfl-dev - static library for flex (a fast lexical analyzer generator) Changes: flex (2.5.39-8+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Tweak CVE-2016-6354 patch to have the changes propagated. As noticed by Robert Shearman due to the patching of skel.c in previous patches and thus updated timestamps, skel.c is not regenerated during build, resulting in the CVE-2016-6354 fix actually not being applied completely. Thanks to Robert Shearman and Frank Heckenbach (Closes: #835542) * Generated code, `max_size' seems to be of type `int', fix casts accordingly. Regression introduced by the fix for CVE-2016-6354 in DSA-3653-1. Thanks to Frank Heckenbach and Robert Shearman. (Closes: #835542) Checksums-Sha1: d35ccedf8c91cb13c817b1f2e3217f26fcc256ba 2125 flex_2.5.39-8+deb8u2.dsc 13213ad7b65d6d2dfdbf5f3b55568b786181b7b1 27828 flex_2.5.39-8+deb8u2.debian.tar.xz 992a4f1a9a35f68d8e2856c38654e3c0a8223267 740492 flex-doc_2.5.39-8+deb8u2_all.deb Checksums-Sha256: 57b9ce84f0df938a17e49d99a20a7e269d4fa1bc3d7132d16a7b42faaa564ea0 2125 flex_2.5.39-8+deb8u2.dsc 10a97a9d951a408551a41f475a3aaf656724900335e72e955615895777586ad6 27828 flex_2.5.39-8+deb8u2.debian.tar.xz e0453bed3f65f86235202c6f6d1670004eec7046ea1bf04ea8e4188ca7661125 740492 flex-doc_2.5.39-8+deb8u2_all.deb Files: 66c8b25994a9592aa9e786074ee92a2a 2125 devel optional flex_2.5.39-8+deb8u2.dsc 962e5a161df9195e2ac751218e9aa720 27828 devel optional flex_2.5.39-8+deb8u2.debian.tar.xz 14588a55da893e338d4cd249e3698e55 740492 doc optional flex-doc_2.5.39-8+deb8u2_all.deb -----BEGIN PGP SIGNATURE----- iQIvBAEBCgAZBQJXy69NEhxjYXJuaWxAZGViaWFuLm9yZwAKCRAFTLjzE0PPRKAB D/kBZqfKNbpoTAhEuRqey05G/02cVvj23+y1lV1dm+EKE6psPMkrAO4g2WFdJUXn +p+UrTa1kY9PgNv5fQwBQqDTbWdpO78EiFcvxujTU2dpN6kdF4Ap5zHaR8qVkx13 KpfZcuVb6TpfQlaopDLbbOWpXuHj9k5Ls+c3uhLC8jQzSyZyo6YtIwms+UCxSC8h a3URMXvhTWGRS2r6QWYo9xjfk56Xor2iaQBeQBnlEyUxgv5NF4xXXNDZPmq1C4FM lPOnI1DC4XNrH/Ns+RcImicaAoj1DeJRMCGdQb9zY7M2LZO8h4MnsIwMFy6t2ByP mohbrtEjzG6GOn3HD8zsGYE/891WSxaFIXjhywXs937Lot1DZFIw0US8qCE5Veoq KZxVllPwS2vM7nAxA4BYTSnqEw0ciCfhxMuxTuO/O8ByAsnWyswNPRJ2ksbUYJYE tqr/8Ma/NRjSPtsvU2qY7RGnGUkoLGPFVMJaiOwAgk84kB8M9mCnLpzesG8F/OzV GjKeZ6yg1FDThK1vKZPxV5KADuQQ5wfQMTuN0LmJLh+MOtOGnBDvIctXMQhc2SFl MDBEr6hjIPe0r2jD3ZHMwDopCb911Eezcy2A/PaAItGMY/iudT/IRWv3RC3v/zKH nGWA/mh71iT57ZkKptVdEr3wjrs5exjHzYFNCNgowBg9ZQ== =dbzy -----END PGP SIGNATURE-----
--- End Message ---
