Bug 1025257 - vorbis-tools FTBFS if "-Werror=format-security" flag is used
vorbis-tools FTBFS if "-Werror=format-security" flag is used
Product: Fedora
Classification: Fedora
Component: vorbis-tools (Show other bugs)
Unspecified Unspecified
low Severity low
: ---
: ---
Assigned To: Kamil Dudka
Fedora Extras Quality Assurance
: Reopened
: 1037378 1107110 (view as bug list)
Depends On:
Blocks: F21FTBFS
  Show dependency treegraph
Reported: 2013-10-31 06:33 EDT by Dhiru Kholia
Modified: 2014-06-10 05:25 EDT (History)
6 users (show)

See Also:
Fixed In Version: vorbis-tools-1.4.0-14.fc21
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-06-10 05:25:45 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
introduction of a new bug (1.17 KB, patch)
2014-06-03 11:52 EDT, Marcin Juszkiewicz
kdudka: review-
Details | Diff

  None (edit)
Description Dhiru Kholia 2013-10-31 06:33:23 EDT
vorbis-tools-1.4.0-12.fc21 FTBFS if "-Werror=format-security" flag is used.

status.c: In function ‘print_statistics_line’:
status.c:151:7: error: format not a string literal and no format arguments [-Werror=format-security]
       len += sprintf(str+len, stats->formatstr);

I am working on a proposal to enable "-Werror=format-security" for all packages. For more details, please see https://fedorahosted.org/fesco/ticket/1185 URL.
Comment 1 Kamil Dudka 2013-10-31 13:11:53 EDT
I fully understand that the coding style of vorbis-tools does not match your preference.  However, the format string is never ever read from outside, so how are you confirming there is a real issue with the resulting binary packages?
Comment 2 Dhiru Kholia 2013-11-01 00:56:44 EDT
Well, it is not my personal coding style. It is a coding style which "Werror=format-security" likes to see.

There is no real security issue here (as you figured out) but it would be nice to see upstream adopting some "good" practices.
Comment 3 Kamil Dudka 2013-11-01 06:34:33 EDT
Two months ago I sent a one-line patch fixing real issue (that can be seen as a security issue) to the upstream mailing-list with no interest so far:


I am afraid that sending them patches to just improve the coding style is not going to attract more interest...

The warning as it is implemented now just warns about poor coding style, which does not necessarily imply an error.  Hence, it should really be treated as a warning, not as error.
Comment 4 Kamil Dudka 2013-12-03 02:58:56 EST
*** Bug 1037378 has been marked as a duplicate of this bug. ***
Comment 5 Marcin Juszkiewicz 2014-06-03 11:52:15 EDT
Created attachment 901847 [details]
introduction of a new bug
Comment 6 Marcin Juszkiewicz 2014-06-03 11:56:58 EDT
Reported upstream: https://trac.xiph.org/ticket/2025
Comment 7 Kamil Dudka 2014-06-03 15:48:33 EDT
Comment on attachment 901847 [details]
introduction of a new bug

This is not going to work because stats->formatstr needs to be treated as format, not as just string to be printed (with unconverted conversions inside).  In order to fix it, you need to write a bigger patch.
Comment 8 Kamil Dudka 2014-06-09 16:56:18 EDT
*** Bug 1107110 has been marked as a duplicate of this bug. ***
Comment 9 Kamil Dudka 2014-06-10 05:25:45 EDT
fixed in vorbis-tools-1.4.0-14.fc21

Note You need to log in before you can comment on or make changes to this bug.