On Sun, Jan 08, 2012 at 06:13:59PM +0100, Moritz Muehlenhoff wrote:
> Package: emacs23
> Version: 23.3+1-4
> Severity: important
> Tags: patch
>
> Hi Rob,
> Please enabled hardened build flags through dpkg-buildflags.
>
> Patch attached. (dpkg-buildflags abides "noopt" from DEB_BUILD_OPTIONS)
I forgot to add that "-Wformat -Wformat-security -Werror=format-security"
exposed missing format strings in movemail, for which I attach a patch.
Cheers,
Moritz
diff -aur emacs23-23.3+1.orig/lib-src/movemail.c emacs23-23.3+1/lib-src/movemail.c
--- emacs23-23.3+1.orig/lib-src/movemail.c 2011-12-29 05:07:27.000000000 +0100
+++ emacs23-23.3+1/lib-src/movemail.c 2012-01-08 17:31:22.000000000 +0100
@@ -615,11 +615,11 @@
{
fprintf (stderr, "movemail: ");
if (s3)
- fprintf (stderr, s1, s2, s3);
+ fprintf (stderr, "%s%s%s", s1, s2, s3);
else if (s2)
- fprintf (stderr, s1, s2);
+ fprintf (stderr, "%s%s", s1, s2);
else
- fprintf (stderr, s1);
+ fprintf (stderr, "%s", s1);
fprintf (stderr, "\n");
}
Nur in emacs23-23.3+1/lib-src: movemail.c~.
