Bug 1025257
| Summary: | vorbis-tools FTBFS if "-Werror=format-security" flag is used | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Dhiru Kholia <dkholia> | ||||
| Component: | vorbis-tools | Assignee: | Kamil Dudka <kdudka> | ||||
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | low | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | rawhide | CC: | bressers, dennis, dkholia, hdegoede, kdudka, mjuszkie | ||||
| Target Milestone: | --- | Keywords: | Reopened | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | vorbis-tools-1.4.0-14.fc21 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2014-06-10 09:25:45 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1105908 | ||||||
| Attachments: |
|
||||||
I fully understand that the coding style of vorbis-tools does not match your preference. However, the format string is never ever read from outside, so how are you confirming there is a real issue with the resulting binary packages? Well, it is not my personal coding style. It is a coding style which "Werror=format-security" likes to see. There is no real security issue here (as you figured out) but it would be nice to see upstream adopting some "good" practices. Two months ago I sent a one-line patch fixing real issue (that can be seen as a security issue) to the upstream mailing-list with no interest so far: http://lists.xiph.org/pipermail/vorbis-dev/2013-September/020345.html I am afraid that sending them patches to just improve the coding style is not going to attract more interest... The warning as it is implemented now just warns about poor coding style, which does not necessarily imply an error. Hence, it should really be treated as a warning, not as error. *** Bug 1037378 has been marked as a duplicate of this bug. *** Created attachment 901847 [details]
introduction of a new bug
Reported upstream: https://trac.xiph.org/ticket/2025 Comment on attachment 901847 [details]
introduction of a new bug
This is not going to work because stats->formatstr needs to be treated as format, not as just string to be printed (with unconverted conversions inside). In order to fix it, you need to write a bigger patch.
*** Bug 1107110 has been marked as a duplicate of this bug. *** fixed in vorbis-tools-1.4.0-14.fc21 |
vorbis-tools-1.4.0-12.fc21 FTBFS if "-Werror=format-security" flag is used. .. status.c: In function ‘print_statistics_line’: status.c:151:7: error: format not a string literal and no format arguments [-Werror=format-security] len += sprintf(str+len, stats->formatstr); I am working on a proposal to enable "-Werror=format-security" for all packages. For more details, please see https://fedorahosted.org/fesco/ticket/1185 URL.