Bug#835542: marked as done (flex: comparison between signed and unsigned integer expressions)

Mon, 12 Feb 2018 13:09:31 -0800 

Your message dated Mon, 12 Feb 2018 21:05:04 +0000
with message-id <e1ellhc-00068c...@fasolo.debian.org>
and subject line Bug#835542: fixed in flex 2.6.4-1
has caused the Debian Bug report #835542,
regarding flex: comparison between signed and unsigned integer expressions
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
835542: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=835542
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: flex
Version: 2.5.39-8+deb8u1
Severity: normal

After this update, I get the following warning when compiling the
flex generated code with gcc, which I didn't get before:

scan.cpp: In function ‘int yy_get_next_buffer(yyscan_t)’:
scan.cpp:758:18: error: comparison between signed and unsigned integer 
expressions [-Werror=sign-compare]
scan.cpp:1384:3: note: in expansion of macro ‘YY_INPUT’

Looking at the code:

#define YY_INPUT(buf,result,max_size) \
        if ( YY_CURRENT_BUFFER_LVALUE->yy_is_interactive ) \
                { \
                int c = '*'; \
                size_t n; \
                for ( n = 0; n < max_size && \

Invoked as:

int num_to_read = ...
YY_INPUT( (&YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[number_to_move]),
                        yyg->yy_n_chars, num_to_read );

So indeed an unsigned value (n) is compared with a signed one
(num_to_read). If this is correct, the warning can be silenced with
a cast of the appropriate one of them.

flex hasn't exactly been known for generating warning-free code,
but what really worries me is that this is a security update. Fixing
a security problem by introducing a sign-problem seems fishy to me.

-- System Information:
Debian Release: 8.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 
'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages flex depends on:
ii  debconf [debconf-2.0]  1.5.56
ii  dpkg                   1.17.27
ii  install-info           5.2.0.dfsg.1-6
ii  libc6                  2.19-18+deb8u5
ii  libfl-dev              2.5.39-8+deb8u1
ii  m4                     1.4.17-4

Versions of packages flex recommends:
ii  clang-3.5 [c-compiler]  1:3.5-10
ii  gcc [c-compiler]        4:4.9.2-2
ii  gcc-4.8 [c-compiler]    4.8.4-1
ii  gcc-4.9 [c-compiler]    4.9.2-10

Versions of packages flex suggests:
ii  bison            2:3.0.2.dfsg-2
ii  build-essential  11.7

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: flex
Source-Version: 2.6.4-1

We believe that the bug you reported is fixed in the latest version of
flex, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 835...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Manoj Srivastava <sriva...@debian.org> (supplier of updated flex package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 12 Feb 2018 11:19:29 -0800
Source: flex
Binary: flex flex-doc libfl-dev
Architecture: source amd64 all
Version: 2.6.4-1
Distribution: unstable
Urgency: medium
Maintainer: Manoj Srivastava <sriva...@debian.org>
Changed-By: Manoj Srivastava <sriva...@debian.org>
Description:
 flex       - fast lexical analyzer generator
 flex-doc   - Documentation for flex (a fast lexical analyzer generator)
 libfl-dev  - static library for flex (a fast lexical analyzer generator)
Closes: 835542 851675 856956
Changes:
 flex (2.6.4-1) unstable; urgency=medium
 .
   * New upstream version. Notable changes
     + a segfalt involving yyrestart(NULL) has been fixed
     + flex should now handle quoting when mixed with m4 processing correctly
     + flex handles `[[' and `]]' correctly
     + flex no longer generates non-ANSI code
     + more compilation warnings were squashed in generated scanners
     + prevented a buffer overflow that could occur when input buffers were
       the exact wrong size
     + several bug fixes resolved problems introduced in recent flex
       versions regarding processing of comments, literals and various
       quoting scenarios.
     +  If the path to m4 was sufficiently long, a buffer overflow could
        occur. This has been resolved. The fix also removes dependence on
        the constant PATH_MAX.
     + Some minor performance enhancements.
     +  We honor user defined yy_* macros again. We are also more careful
        to not leak macro definitions into header files.
     + A number of portability fixes were introduced so building flex is
       more reliable on more platforms. Additionally, outdated function
       calls were removed.
     + When building the flex executable itself, %# comments from
       flex.skl are removed when generating the C source code array. This
       reduces the size of flex.
     + Flex can be cross compiled.
   * Bug fix: "comparison between signed and unsigned integer expressions",
     thanks to Frank Heckenbach. This should be fixed now. (Closes: #835542).
   * Bug fix: "Please update homepage in package description", thanks to
     Tim Ruehsen (Closes: #851675).
   * Bug fix: "Should Suggest: flex-doc", thanks to Yuri D&#39;Elia
     (Closes: #856956).
   * Stole some commits from 2.6.5 to fix FTBS issues in 2.6.4 release.
Checksums-Sha1:
 64458a5505843c8b8334b1d2cee5d61bd2c450af 2009 flex_2.6.4-1.dsc
 fafece095a0d9890ebd618adb1f242d8908076e1 1419096 flex_2.6.4.orig.tar.gz
 8ae51c3f7845da034fafe81d9b045a965b0b1a80 57095 flex_2.6.4-1.diff.gz
 e99271867033152c1425a8d9057cf1ad478c4916 159796 flex-dbgsym_2.6.4-1_amd64.deb
 155a6397224083773004d3bb47282e0b466d194c 762312 flex-doc_2.6.4-1_all.deb
 3fed57ebf4a1838c6a4fff30aabc5b8f7a5db379 8513 flex_2.6.4-1_amd64.buildinfo
 751a32a0825a8455a7ba265c29d99809bb6f58af 454056 flex_2.6.4-1_amd64.deb
 3cffe92a9ba41cb0748fb782f9fcfcc3b6b03a07 101724 libfl-dev_2.6.4-1_amd64.deb
Checksums-Sha256:
 b85c2c0aaea15717decf668664fb04bafa6e32104cd0f74013a7bf6aecffcf33 2009 
flex_2.6.4-1.dsc
 e87aae032bf07c26f85ac0ed3250998c37621d95f8bd748b31f15b33c45ee995 1419096 
flex_2.6.4.orig.tar.gz
 a03bbb8837ea3869923631695c7a40d5d41bad5a519af31dd7f98718ec6a686d 57095 
flex_2.6.4-1.diff.gz
 1578439e1589f68e4e41e30e7df61991755630533cd2c11320865530d44c04d0 159796 
flex-dbgsym_2.6.4-1_amd64.deb
 14c657034c5d04e15e3259e06745a43676369cd5f49f9e6ace14d5c500a217d2 762312 
flex-doc_2.6.4-1_all.deb
 17523bf2d1534d7ff64da9e238687bd1f966a4e3a23c1d0318c3eaa390ef00ac 8513 
flex_2.6.4-1_amd64.buildinfo
 aff1a9b452206015320f0e9d304adb7ff6a077743ed25272b503cdc955687afd 454056 
flex_2.6.4-1_amd64.deb
 b2e6d012261de213360e3a47166f4312f5bb3cac9f6f270fc0b8e6faf98a597c 101724 
libfl-dev_2.6.4-1_amd64.deb
Files:
 5df20ec47a26e11ddc4689c9b5d2f95a 2009 devel optional flex_2.6.4-1.dsc
 2882e3179748cc9f9c23ec593d6adc8d 1419096 devel optional flex_2.6.4.orig.tar.gz
 9bcda2e08428063a9aef53dd3eba49c2 57095 devel optional flex_2.6.4-1.diff.gz
 bb3a02a3da183b4449999b42a88a733a 159796 debug optional 
flex-dbgsym_2.6.4-1_amd64.deb
 08ce62a09dc890ab6adb106461b91258 762312 doc optional flex-doc_2.6.4-1_all.deb
 3a1476b6ebe316dab0928ed2f69230be 8513 devel optional 
flex_2.6.4-1_amd64.buildinfo
 ec6a807a52d686c04f6c69bc41d11492 454056 devel optional flex_2.6.4-1_amd64.deb
 58bb821519b7880fe51b2c2613924994 101724 libdevel optional 
libfl-dev_2.6.4-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQGaBAEBCgCEFiEEq6cQJaG1qIpOX2jCNr1yD29XZHIFAlqB+6tRFIAAAAAAGwAt
c3JpdmFzdGFAZ29sZGVuLWdyeXBob24uY29tQUJBNzEwMjVBMUI1QTg4QTRFNUY2
OEMyMzZCRDcyMEY2RjU3NjQ3Ml8xOTMxFBxzcml2YXN0YUBkZWJpYW4ub3JnAAoJ
EDa9cg9vV2Ry3QIH/jdaFNdFxLYRois9Jnlcf7Z1jpcEIibIINMKdCZsi7RJcJaJ
OcrWmW8ttL2WkgS7l8vr1Aiqs4uNNfoL6nNM4EUmrnBOGFBJOeQ2W0tA6Eg2yvYr
+hzrKSpUcLXZkzWeuS3g5RuRZSqpVO10ubAMgNU3tz2OR4Jnw+10IAlI7X1d0HsA
o8x0tH/fsYKAe1XDznefSSGvV6s+PCjlKeFkIann8XLwn/vhTltbnlUfOJULPcaC
JvqITpyHBhCycC1sHAsZAZYgyf7KIYV1r4WL/S3DTI1SxcM1hVvvkg0ShPQnqU7B
V5/hbq5g9rzdPKokO8IUkh7907wbOGB4AqPGShk=
=ftXS
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to