vorbis-tools-1.4.0-12.fc21 FTBFS if "-Werror=format-security" flag is used. .. status.c: In function ‘print_statistics_line’: status.c:151:7: error: format not a string literal and no format arguments [-Werror=format-security] len += sprintf(str+len, stats->formatstr); I am working on a proposal to enable "-Werror=format-security" for all packages. For more details, please see https://fedorahosted.org/fesco/ticket/1185 URL.
I fully understand that the coding style of vorbis-tools does not match your preference. However, the format string is never ever read from outside, so how are you confirming there is a real issue with the resulting binary packages?
Well, it is not my personal coding style. It is a coding style which "Werror=format-security" likes to see. There is no real security issue here (as you figured out) but it would be nice to see upstream adopting some "good" practices.
Two months ago I sent a one-line patch fixing real issue (that can be seen as a security issue) to the upstream mailing-list with no interest so far: http://lists.xiph.org/pipermail/vorbis-dev/2013-September/020345.html I am afraid that sending them patches to just improve the coding style is not going to attract more interest... The warning as it is implemented now just warns about poor coding style, which does not necessarily imply an error. Hence, it should really be treated as a warning, not as error.
*** Bug 1037378 has been marked as a duplicate of this bug. ***
Created attachment 901847 [details] introduction of a new bug
Reported upstream: https://trac.xiph.org/ticket/2025
Comment on attachment 901847 [details] introduction of a new bug This is not going to work because stats->formatstr needs to be treated as format, not as just string to be printed (with unconverted conversions inside). In order to fix it, you need to write a bigger patch.
*** Bug 1107110 has been marked as a duplicate of this bug. ***
fixed in vorbis-tools-1.4.0-14.fc21