On Mon, Mar 12, 2012 at 02:58:05PM +0100, Torsten Förtsch wrote: > On Friday, 09 March 2012 22:50:33 Niko Tyni wrote: > > The two usage warnings use constant strings so > > they seem safe, > > They are safe since the "usage" variable is constant and does not contain any > %-sequences. I do not see the need to fix anything here. What do I miss?
The fact that gcc can't see this and so building with -Werror=format-security fails. Consider that part of the patch as silencing false positive warnings. > > but I'm afraid I can't tell whether this is the case > > for ERRSV in the mpxs_cleanup_run() phase. > > These occasions are fixed as of revision 1299669 as described in my previous > mail. Thanks! Can you think of a scenario where an attacker could inject format sequences to ERRSV? That would make earlier releases vulnerable. -- Niko Tyni nt...@debian.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@perl.apache.org For additional commands, e-mail: dev-h...@perl.apache.org
