Bug#841783: patchutils: please make the build reproducible

[Reiner Herrmann]

Source: patchutils
Version: 0.3.4-1
Severity: wishlist
Tags: patch
User: reproducible-builds@lists.alioth.debian.org
Usertags: buildpath
X-Debbugs-Cc: reproducible-builds@lists.alioth.debian.org

Hi!

While working on the "reproducible builds" effort [1], we have noticed
that patchutils could not be built reproducibly.
It does not use CFLAGS provided by dpkg-buildflags for building, which
would set -fdebug-prefix-map to prevent the full build path from being
included in debugging symbols.

The attached patch fixes that by using dpkg-buildflags for setting CFLAGS.
Due to -Werror=format-security, which is then also set by dpkg-buildflags,
the build failed because of a format string issue.
A patch for this is also included.

Regards,
 Reiner

[1]: https://wiki.debian.org/ReproducibleBuilds

diff --git a/debian/patches/format_string b/debian/patches/format_string
new file mode 100644
index 0000000..f38677e
--- /dev/null
+++ b/debian/patches/format_string
@@ -0,0 +1,27 @@
+Author: Reiner Herrmann <rei...@reiner-h.de>
+Description: don't pass error message directly as format string to error()
+ Build fails with -Werror=format-security enabled, because no constant string
+ is passed as error string.
+ Passing a string based on user input (regex) directly as format string is
+ a security issue.
+
+--- a/src/filterdiff.c
++++ b/src/filterdiff.c
+@@ -1355,7 +1355,7 @@
+ 			char errstr[300];
+ 			regerror (err, &regex[num_regex - 1], errstr,
+ 				  sizeof (errstr));
+-			error (EXIT_FAILURE, 0, errstr);
++			error (EXIT_FAILURE, 0, "%s", errstr);
+ 			exit (1);
+ 		}
+ 	}
+@@ -1613,7 +1613,7 @@
+ 			char errstr[300];
+ 			regerror (err, &regex[num_regex - 1], errstr,
+ 				  sizeof (errstr));
+-			error (EXIT_FAILURE, 0, errstr);
++			error (EXIT_FAILURE, 0, "%s", errstr);
+ 			exit (1);
+ 		}
+ 	}
diff --git a/debian/patches/series b/debian/patches/series
index 72dc30c..a584743 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 espdiff.6
 posixness_fix
+format_string
diff --git a/debian/rules b/debian/rules
index 5717bca..18a29ea 100755
--- a/debian/rules
+++ b/debian/rules
@@ -13,7 +13,7 @@ else
 CONFFLAGS = --build $(DEB_BUILD_GNU_TYPE) --host $(DEB_HOST_GNU_TYPE)
 endif
 
-CFLAGS = -g
+CFLAGS = $(shell dpkg-buildflags --get CFLAGS)
 
 ifeq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
 CFLAGS += -O2

signature.asc
Description: PGP signature

_______________________________________________
Reproducible-builds mailing list
Reproducible-builds@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds