Package: lftp Version: 4.3.5-1 Severity: important Tags: patch Dear Maintainer,
The CXXFLAGS hardening flags are missing because they are not set
in debian/rules. This prevents CXXFLAGS hardening in src/*.
The following patch fixes the issue.
diff -Nru lftp-4.3.5/debian/rules lftp-4.3.5/debian/rules
--- lftp-4.3.5/debian/rules 2012-01-13 20:11:25.000000000 +0100
+++ lftp-4.3.5/debian/rules 2012-03-13 22:44:24.000000000 +0100
@@ -14,6 +14,7 @@
CFLAGS = `dpkg-buildflags --get CFLAGS`
CFLAGS += -g -Wall
+CXXFLAGS = `dpkg-buildflags --get CXXFLAGS` -g -Wall
LDFLAGS = `dpkg-buildflags --get LDFLAGS`
CPPFLAGS = `dpkg-buildflags --get CPPFLAGS`
@@ -21,7 +22,7 @@
configure-stamp:
dh_testdir
# Add here commands to configure the package.
- CFLAGS="$(CFLAGS)" CPPFLAGS="$(CPPFLAGS)" LDFLAGS="$(LDFLAGS)"
./configure \
+ CFLAGS="$(CFLAGS)" CXXFLAGS="$(CXXFLAGS)" CPPFLAGS="$(CPPFLAGS)"
LDFLAGS="$(LDFLAGS)" ./configure \
--prefix=/usr \
--mandir=\$${prefix}/share/man \
--infodir=\$${prefix}/share/info \
While building with the CXXFLAGS several -Wformat-security errors
occurred. The attached bug fixes those. I'm not sure if the first
fix (Fish.cc) is correct though, please have a look.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
Description: Fix errors reported by -Werror=format-security. Author: Simon Ruderich <[email protected]> Last-Update: 2012-03-13 Index: lftp-4.3.5/src/Fish.cc =================================================================== --- lftp-4.3.5.orig/src/Fish.cc 2012-03-13 23:23:55.709806633 +0100 +++ lftp-4.3.5/src/Fish.cc 2012-03-13 23:24:31.593807999 +0100 @@ -564,7 +564,7 @@ const char *eol=strchr(err,'\n'); if(eol) { xstring &e=xstring::get_tmp(err,eol-err); - LogError(0,e); + LogError(0,"%s",e.tmp_buf(eol-err)); SetError(NO_FILE,e); if(pty_recv_buf) pty_recv_buf->Skip(eol-err+1); Index: lftp-4.3.5/src/Job.h =================================================================== --- lftp-4.3.5.orig/src/Job.h 2012-03-13 23:23:55.677806632 +0100 +++ lftp-4.3.5/src/Job.h 2012-03-13 23:24:31.597807999 +0100 @@ -77,7 +77,7 @@ void ClearStatus() { const char *empty=""; - eprintf(empty); + eprintf("%s",empty); /* just "" causes a -Wformat-zero-length" warning, not sure what this line does though */ } virtual void SayFinal() {}; // final phrase of fg job virtual int Done()=0; Index: lftp-4.3.5/src/SleepJob.cc =================================================================== --- lftp-4.3.5.orig/src/SleepJob.cc 2012-03-13 23:23:55.625806630 +0100 +++ lftp-4.3.5/src/SleepJob.cc 2012-03-13 23:24:31.597807999 +0100 @@ -119,7 +119,7 @@ Job::ShowRunStatus(s); else { - s->Show(Status()); + s->Show("%s",Status()); current->TimeoutS(1); } } Index: lftp-4.3.5/src/mgetJob.cc =================================================================== --- lftp-4.3.5.orig/src/mgetJob.cc 2012-03-13 23:23:55.625806630 +0100 +++ lftp-4.3.5/src/mgetJob.cc 2012-03-13 23:24:31.597807999 +0100 @@ -36,7 +36,7 @@ { if(rg) { - s->Show(rg->Status()); + s->Show("%s",rg->Status()); return; } GetJob::ShowRunStatus(s);
signature.asc
Description: Digital signature
