Package: gpe-conf Version: 0.2.9-1 Severity: serious Tags: patch wheezy sid Justification: FTBFS on i386 User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu precise ubuntu-patch hardening-format-security hardening
Hi, your package failed to build with the -Wformat-security flag enabled. Relevant part: > gcc -DPACKAGE_NAME=\"gpe-conf\" -DPACKAGE_TARNAME=\"gpe-conf\" > -DPACKAGE_VERSION=\"0.2.9\" -DPACKAGE_STRING=\"gpe-conf\ 0.2.9\" > -DPACKAGE_BUGREPORT=\"gpe-l...@linuxtogo.org\" -DPACKAGE_URL=\"\" > -DPACKAGE=\"gpe-conf\" -DVERSION=\"0.2.9\" -DSTDC_HEADERS=1 > -DGETTEXT_PACKAGE=\"gpe-conf\" -DHAVE_SYS_TYPES_H=1 -DHAVE_SYS_STAT_H=1 > -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1 > -DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DHAVE_LOCALE_H=1 > -DHAVE_LC_MESSAGES=1 -DHAVE_BIND_TEXTDOMAIN_CODESET=1 -DHAVE_GETTEXT=1 > -DHAVE_DCGETTEXT=1 -DENABLE_NLS=1 -I. -pthread -I/usr/include/gtk-2.0 > -I/usr/lib/i386-linux-gnu/gtk-2.0/include -I/usr/include/atk-1.0 > -I/usr/include/cairo -I/usr/include/gdk-pixbuf-2.0 -I/usr/include/pango-1.0 > -I/usr/include/gio-unix-2.0/ -I/usr/include/glib-2.0 > -I/usr/lib/i386-linux-gnu/glib-2.0/include -I/usr/include/pixman-1 > -I/usr/include/freetype2 -I/usr/include/libpng12 -I./gpe -I. -I./modules > -DPREFIX=\"/usr\" -D_GNU_SOURCE -Wall -DPACKAGE_LOCALE_DIR=\"/usr/share/locale\" -DVERSION=\"0.2.9\" -DDBUS_API_SUBJECT_TO_CHANGE -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -Wall -c suid.c > suid.c: In function 'update_system_hostname': > suid.c:97:2: error: format not a string literal and no format arguments > [-Werror=format-security] This was already solved in Ubuntu with the attached patch. Regards. -- System Information: Debian Release: wheezy/sid APT prefers oneiric-updates APT policy: (500, 'oneiric-updates'), (500, 'oneiric-security'), (500, 'oneiric'), (100, 'oneiric-backports') Architecture: amd64 (x86_64) Kernel: Linux 3.0.0-15-generic (SMP w/4 CPU cores) Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff -Nru gpe-conf-0.2.9/debian/patches/format-security.patch gpe-conf-0.2.9/debian/patches/format-security.patch --- gpe-conf-0.2.9/debian/patches/format-security.patch 1970-01-01 01:00:00.000000000 +0100 +++ gpe-conf-0.2.9/debian/patches/format-security.patch 2012-01-27 14:35:32.000000000 +0100 @@ -0,0 +1,41 @@ +Description: Fix FTBFS with -Wformat-security +Author: Alessio Treglia <ales...@debian.org> +Forwarded: no +--- + modules/cardinfo.c | 1 + + modules/serial.c | 2 +- + suid.c | 2 +- + 3 files changed, 3 insertions(+), 2 deletions(-) + +--- gpe-conf-0.2.9.orig/suid.c ++++ gpe-conf-0.2.9/suid.c +@@ -94,7 +94,7 @@ update_system_hostname (const gchar * sy + return; + } + +- fprintf (fnew, system_hostname); ++ fprintf (fnew, "%s", system_hostname); + + fclose (fnew); + } +--- gpe-conf-0.2.9.orig/modules/serial.c ++++ gpe-conf-0.2.9/modules/serial.c +@@ -390,7 +390,7 @@ Serial_Build_Objects (void) + FIRST_SERIAL = get_first_serial_port (); + + portlist[0][1] = FIRST_SERIAL; +- sprintf (cur_port, FIRST_SERIAL); ++ sprintf (cur_port, "%s", FIRST_SERIAL); + + gpsd_installed = !access (GPSD_STARTUP_SCRIPT, F_OK); + getty_installed = !access ("/sbin/getty", F_OK); +--- gpe-conf-0.2.9.orig/modules/cardinfo.c ++++ gpe-conf-0.2.9/modules/cardinfo.c +@@ -164,6 +164,7 @@ save_config (char *config, int socket) + cfg = g_strsplit (config, "\n", 4); // idstr,version,manfid,binding + cur_bind = malloc (strlen (st[socket].card.str) - 5); // current driver binding + snprintf (cur_bind, strlen (st[socket].card.str) - 6, ++ "%s", + st[socket].card.str + 3); + + /* determine config file type */ diff -Nru gpe-conf-0.2.9/debian/patches/series gpe-conf-0.2.9/debian/patches/series --- gpe-conf-0.2.9/debian/patches/series 2009-12-17 22:02:35.000000000 +0100 +++ gpe-conf-0.2.9/debian/patches/series 2012-01-27 13:52:10.000000000 +0100 @@ -1 +1,2 @@ desktop-validity +format-security.patch