Bug#855605: rtkit uses dbus_message_new_error_printf unsafely

2017-02-21 Thread Andrew Shadura 
On 21/02/17 04:03, Felipe Sateler wrote:
> On Mon, Feb 20, 2017 at 3:28 PM, Andrew Shadura
>  wrote:
>> rtkit uses dbus_message_new_error_printf in an unsafe way, which also causes
>> it to FTBFS when it builds against a newer dbus version (e.g. 1.11.8 and
>> newer, available in experimental):

> Do you consider this something that should be fixed in stretch? I just
> realized I have a pile of pending changes that are not appropriate for
> the freeze, so I'd have to prepare an upload for this.

It's up to you. We fixed this in the downstream package, whether this
warrants an update for stretch or not is something you and release team
to decide.

> In any case I applied your patch to the git repo.

Thanks!

-- 
Cheers,
  Andrew



signature.asc
Description: OpenPGP digital signature

Bug#855605: rtkit uses dbus_message_new_error_printf unsafely

2017-02-20 Thread Felipe Sateler 
On Mon, Feb 20, 2017 at 3:28 PM, Andrew Shadura
 wrote:
> Package: rtkit
> Version: 0.11-4
> Severity: important
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Dear Maintainer,
>
> rtkit uses dbus_message_new_error_printf in an unsafe way, which also causes
> it to FTBFS when it builds against a newer dbus version (e.g. 1.11.8 and
> newer, available in experimental):

Do you consider this something that should be fixed in stretch? I just
realized I have a pile of pending changes that are not appropriate for
the freeze, so I'd have to prepare an upload for this.

In any case I applied your patch to the git repo.

-- 

Saludos,
Felipe Sateler

Bug#855605: rtkit uses dbus_message_new_error_printf unsafely

2017-02-20 Thread Andrew Shadura 
Package: rtkit
Version: 0.11-4
Severity: important

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Dear Maintainer,

rtkit uses dbus_message_new_error_printf in an unsafe way, which also causes
it to FTBFS when it builds against a newer dbus version (e.g. 1.11.8 and
newer, available in experimental):

/usr/src/packages/BUILD/rtkit-0.11/./rtkit-daemon.c: In function 'dbus_handler':
/usr/src/packages/BUILD/rtkit-0.11/./rtkit-daemon.c:1336:25: error: format not 
a string literal and no format arguments [-Werror=format-security]
 assert_se(r = dbus_message_new_error_printf(m, 
translate_error_forward(ret), strerror(-ret)));
 ^
/usr/src/packages/BUILD/rtkit-0.11/./rtkit-daemon.c:1361:25: error: format not 
a string literal and no format arguments [-Werror=format-security]
 assert_se(r = dbus_message_new_error_printf(m, 
translate_error_forward(ret), strerror(-ret)));
 ^
/usr/src/packages/BUILD/rtkit-0.11/./rtkit-daemon.c:1366:25: error: format not 
a string literal and no format arguments [-Werror=format-security]
 assert_se(r = dbus_message_new_error_printf(m, 
translate_error_forward(ret), strerror(-ret)));
 ^
/usr/src/packages/BUILD/rtkit-0.11/./rtkit-daemon.c:1371:25: error: format not 
a string literal and no format arguments [-Werror=format-security]
 assert_se(r = dbus_message_new_error_printf(m, 
translate_error_forward(ret), strerror(-ret)));
 ^
/usr/src/packages/BUILD/rtkit-0.11/./rtkit-daemon.c:1388:25: error: format not 
a string literal and no format arguments [-Werror=format-security]
 assert_se(r = dbus_message_new_error_printf(m, 
translate_error_forward(ret), strerror(-ret)));
 ^
/usr/src/packages/BUILD/rtkit-0.11/./rtkit-daemon.c:1413:25: error: format not 
a string literal and no format arguments [-Werror=format-security]
 assert_se(r = dbus_message_new_error_printf(m, 
translate_error_forward(ret), strerror(-ret)));
 ^
/usr/src/packages/BUILD/rtkit-0.11/./rtkit-daemon.c:1418:25: error: format not 
a string literal and no format arguments [-Werror=format-security]
 assert_se(r = dbus_message_new_error_printf(m, 
translate_error_forward(ret), strerror(-ret)));
 ^
/usr/src/packages/BUILD/rtkit-0.11/./rtkit-daemon.c:1423:25: error: format not 
a string literal and no format arguments [-Werror=format-security]
 assert_se(r = dbus_message_new_error_printf(m, 
translate_error_forward(ret), strerror(-ret)));
 ^

Please find an attached patch to fix it.

- -- 
Cheers,
  Andrew

-BEGIN PGP SIGNATURE-

iQI8BAEBCAAmBQJYqzVrHxxhbmRyZXcuc2hhZHVyYUBjb2xsYWJvcmEuY28udWsA
CgkQQWcbs0qEk4G3FhAAzXBp0ljgzhQ6c5rsUsYzLMHU0fumzp3PNX0Ta6OkUOe0
6DShV8EEI81ejLiViaVnvyoJ5ThwpbcYojRYXws0lDCn7xmqdRspB3zCrgnmWc34
naI1UyP/Nvk1QqVGWP91ZKh31BHjp2UHGeknLwA2e87ausZvAqAdH/5b81J3moRs
0FtEGj3qT+IUnYPqdaS1rMsqUeTP9ePuI8r8qbnjYxJ9pomcIspCBcNculJThO/1
MQnGcLnLjCxtJl7vQ8EDajLgpmv+zn+oD33FEMxMdl4aB25jU/YolFe/g3ijK9jP
4Mj6AIB7yIWsL8p+wDi/BfRkKHoXQNzMb+Lwe1WuTTcBjVcggpYe6IsTF9Ux9MA/
hSilxWiuj3ahIi/qboWvmZHGG3+F68Vcr0AC/7VxtDiKMgf45lkRLp4xF+S3WMFW
y871BCOz21LqUi1jXZK+ab6IYN6FoqwSPhsxrvCv8PzC56pLU5+tgp68ADrTkhZo
6w4luPWjkYu7otxsQ95vI2BeVVXdpGBSrkSciTI1KFOdzgnfxFCHFAT9p+FQlmS2
1lQe4O3x4JAtAfrZ4zB/JDPdRYUWSb0FK25F03jZ361DOnfnSbvSvDmIi05CscM3
82xjg8gjfP8QGjLDb/EYMaFzhOD3cVPXyL4OefXMcoFHDeNFoXVAdDUY3G4yVAs=
=RfGv
-END PGP SIGNATURE-
diff -Nru rtkit-0.11/debian/changelog rtkit-0.11/debian/changelog
--- rtkit-0.11/debian/changelog	2015-10-24 23:44:21.0 +0200
+++ rtkit-0.11/debian/changelog	2017-02-20 19:15:34.0 +0100
@@ -1,3 +1,11 @@
+rtkit (0.11-4.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Add a format string to dbus_message_new_error_printf (fixes an FTBFS due to
+-Werror=format-security).
+
+ -- Andrew Shadura   Mon, 20 Feb 2017 19:15:34 +0100
+
 rtkit (0.11-4) unstable; urgency=medium
 
   * Remove stale ubuntu.series file.
diff -Nru rtkit-0.11/debian/patches/0006-fix-format-strings.patch rtkit-0.11/debian/patches/0006-fix-format-strings.patch
--- rtkit-0.11/debian/patches/0006-fix-format-strings.patch	1970-01-01 01:00:00.0 +0100
+++ rtkit-0.11/debian/patches/0006-fix-format-strings.patch	2017-02-20 19:15:34.0 +0100
@@ -0,0 +1,68 @@
+From: Andrew Shadura 
+Date: Mon, 20 Feb 2017 19:17:18 +0100
+Subject: Add a format string to dbus_message_new_error_printf (fixes an FTBFS
+ due to -Werror=format-security).
+Forwarded: no
+
+--- a/rtkit-daemon.c
 b/rtkit-daemon.c
+@@ -1333,7 +1333,7 @@
+ int ret;
+ 
+ if ((ret = verify_canary_refusal()) < 0) {
+-assert_se(r =