perl-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Niko Tyni <nt...@debian.org>
Subject Re: Bug#661540: libapache2-mod-perl2: FTBFS with hardening flags enabled: -Werror=format-security
Date Mon, 12 Mar 2012 14:26:30 GMT
On Mon, Mar 12, 2012 at 02:58:05PM +0100, Torsten Förtsch wrote:
> On Friday, 09 March 2012 22:50:33 Niko Tyni wrote:
> > The two usage warnings use constant strings so
> > they seem safe,
> 
> They are safe since the "usage" variable is constant and does not contain any 
> %-sequences. I do not see the need to fix anything here. What do I miss?

The fact that gcc can't see this and so building with
-Werror=format-security fails. Consider that part of the patch as
silencing false positive warnings.

> > but I'm afraid I can't tell whether this is the case
> > for ERRSV in the mpxs_cleanup_run() phase.
> 
> These occasions are fixed as of revision 1299669 as described in my previous 
> mail.

Thanks!

Can you think of a scenario where an attacker could inject format
sequences to ERRSV? That would make earlier releases vulnerable.
-- 
Niko Tyni   ntyni@debian.org

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org


Mime
View raw message