On Fri, Mar 09, 2012 at 10:25:11AM +0200, Niko Tyni wrote: > On Mon, Feb 27, 2012 at 09:43:10PM +0000, Dominic Hargreaves wrote: > > Source: libterm-slang-perl > > Severity: normal > > Version: 0.07-11 > > [Joey: do you think we should still keep this package alive? See below.] > > > User: debian...@lists.debian.org > > Usertags: hardening-format-security hardening > > > > With hardening flags enabled, this package FTBFS: > > > > Slang.c: In function 'XS_Term__Slang_SLsmg_printf': > > Slang.c:301:2: error: format not a string literal and no format arguments > > [-Werror=format-security] > > This is wrapping the SLsmg_printf() vararg function in the > S-lang library. > > The current implementation of the Perl binding of SLsmg_printf() only uses > the first argument, and is therefore equivalent to SLsmg_write_string() > except that it breaks with format strings. > > A program that calls SLsmg_printf() with untrusted data would be vulnerable. > In practice that seems improbable, so I don't think this needs fixing in > stable. Cc'ing the security team in case they disagree.
Agreed. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org