Source: dlume Version: 0.2.4-7 Severity: normal User: [email protected] Usertags: hardening-format-security hardening
the package dlume fails to compile with the new hardened compiler flags dpkg-buildflag outputs. The problematic flag is: -Werror=format-security See the ubuntu buildlog: https://launchpadlibrarian.net/83126848/buildlog_ubuntu-precise-i386.dlume_0.2.4-7_FAILEDTOBUILD.txt.gz Snippet: gcc -DHAVE_CONFIG_H -I. -I.. -I../include -DPACKAGE_LOCALE_DIR=\""/usr/share/locale"\" -pthread -I/usr/include/gtk-2.0 -I/usr/lib/i386-linux-gnu/gtk-2.0/include -I/usr/include/atk-1.0 -I/usr/include/cairo -I/usr/include/gdk-pixbuf-2.0 -I/usr/include/pango-1.0 -I/usr/include/gio-unix-2.0/ -I/usr/include/glib-2.0 -I/usr/lib/i386-linux-gnu/glib-2.0/include -I/usr/include/pixman-1 -I/usr/include/freetype2 -I/usr/include/libpng12 -I/usr/include/libxml2 -Wall -O2 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security -c -o dlume-export.o `test -f 'export.c' || echo './'`export.c export.c: In function 'export_data_as_html': export.c:507:5: error: format not a string literal and no format arguments [-Werror=format-security] cc1: some warnings being treated as errors The buildflags are not used in debian, but can be enabled e.g. with this patch: --- dlume-0.2.4/debian/rules 2011-09-27 10:36:25.000000000 +0200 +++ /var/cache/pbuilder/build/cow.26132/tmp/dlume-0.2.4/debian/rules 2011-10-22 19:58:40.257905451 +0200 @@ -12,7 +12,7 @@ cp -vf /usr/share/misc/config.guess . cp -vf $(shell ls /usr/share/automake-*/mkinstalldirs | tail -n 1) . autoreconf -vfi - dh_auto_configure + dh_auto_configure -- $(shell dpkg-buildflags --export=configure) override_dh_auto_clean: # Delete all files that are copied by autoreconf or override_dh_auto_configure. Please fix the issues and maybe also enable the hardened build in debian.
signature.asc
Description: OpenPGP digital signature
