Bug#728333: console-tools: FTBFS due to format string vulnerability

2013-10-30 Thread Thorsten Glaser 
Source: console-tools
Version: 2:0.2.3-72
Severity: serious
Justification: fails to build from source (but built successfully in the past)

ksyms.c: In function 'list_charsets':   
 
ksyms.c:1667:5: error: format not a string literal and no format arguments 
[-Werror=format-security] 
 fprintf(f, charsets[i].charset+lth);   
 
 ^  
 

This is pretty nasty. I’m currently testing a patch
(basically adding %s, after f, there), and will
send it when it works.

This appears to be masked on other architectures because they
errorneously don’t build with -Wformat -Werror=format-security
(no idea why). Full build log is at:
http://buildd.debian-ports.org/status/fetch.php?pkg=console-toolsarch=m68kver=2%3A0.2.3-72stamp=1383160956

It’s still a bug, of course ;-)

-- System Information:
Debian Release: jessie/sid
  APT prefers unreleased
  APT policy: (500, 'unreleased'), (500, 'unstable')
Architecture: m68k

Kernel: Linux 3.11-1-m68k
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/lksh


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#728333: console-tools: FTBFS due to format string vulnerability

2013-10-30 Thread Thorsten Glaser 
tags 728333 + patch
thanks

Dixi quod…

This appears to be masked on other architectures because they
errorneously don’t build with -Wformat -Werror=format-security

Oh, this is fun… when I build it in cowbuilder, it also lacks
these flags. So here is the obvious patch, but I can only test
it once it’s uploaded, either as NMU (which I’ll do in a week,
unless you tell me to do it now or disagree) or maintainer up-
load.

bye,
//mirabilos
-- 
“It is inappropriate to require that a time represented as
 seconds since the Epoch precisely represent the number of
 seconds between the referenced time and the Epoch.”
-- IEEE Std 1003.1b-1993 (POSIX) Section B.2.2.2diff -Nru console-tools-0.2.3/debian/changelog 
console-tools-0.2.3/debian/changelog
--- console-tools-0.2.3/debian/changelog2013-10-26 21:27:53.0 
+
+++ console-tools-0.2.3/debian/changelog2013-10-30 19:57:38.0 
+
@@ -1,3 +1,10 @@
+console-tools (2:0.2.3-72.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Fix FTBFS due to format string problem.
+
+ -- Thorsten Glaser t...@mirbsd.de  Wed, 30 Oct 2013 19:57:25 +
+
 console-tools (2:0.2.3-72) unstable; urgency=low
 
   * Really remove the dependency on dbs. Closes: #576051.
diff -Nru console-tools-0.2.3/debian/patches/600_formatstring.patch 
console-tools-0.2.3/debian/patches/600_formatstring.patch
--- console-tools-0.2.3/debian/patches/600_formatstring.patch   1970-01-01 
00:00:00.0 +
+++ console-tools-0.2.3/debian/patches/600_formatstring.patch   2013-10-30 
19:57:20.0 +
@@ -0,0 +1,11 @@
+--- a/lib/ksyms.c
 b/lib/ksyms.c
+@@ -1664,7 +1664,7 @@ list_charsets(FILE *f) {
+   if(!strncmp(charsets[i].charset, mm[j], lth)) {
+   if(ct++)
+   fprintf(f, ,);
+-  fprintf(f, charsets[i].charset+lth);
++  fprintf(f, %s, charsets[i].charset+lth);
+   }
+   }
+   fprintf(f, });
diff -Nru console-tools-0.2.3/debian/patches/series 
console-tools-0.2.3/debian/patches/series
--- console-tools-0.2.3/debian/patches/series   2013-10-15 18:27:35.0 
+
+++ console-tools-0.2.3/debian/patches/series   2013-10-30 19:56:57.0 
+
@@ -54,3 +54,4 @@
 540_KDSKBDIACRUC.patch
 550_fr.patch
 560_unicode_stop.patch
+600_formatstring.patch