Description of problem ---------------------- grass fails to build if "-Werror=format-security" flag is used. ... a2b.c:103:3: error: format not a string literal and no format arguments [-Werror=format-security] a2b.c:136:3: error: format not a string literal and no format arguments [-Werror=format-security] a2b.c:154:3: error: format not a string literal and no format arguments [-Werror=format-security] a2b.c:172:6: error: format not a string literal and no format arguments [-Werror=format-security] ... We are working on a proposal to enable "-Werror=format-security" for all packages. Once this flag is enabled, GCC will refuse to compile code that could be vulnerable to a string format security flaw. For more details, please see https://fedorahosted.org/fesco/ticket/1185 page. To understand why it is important to fix this, please see https://fedoraproject.org/wiki/Format-Security-FAQ page. How to fix this --------------- The fix for these errors is quite simple. It's a matter of changing a line like, printf(foo); to read, printf("%s", foo); That's it. Please fix this issue in rawhide with a patch (which you should submit to upstream to merge moving forward). Please do a new build with the fix in rawhide. Other releases do not need to be directly fixed, but there should be no harm in pushing out this fix/patch with other needed changes to those branches. In the event you don't fix this bug before the next mass rebuild, provenpackagers may step in and update your package(s) to fix this issue. How reproducible ---------------- Build grass-6.4.3-5.fc21.src.rpm with "-Werror=format-security" flag to reproduce the problem. To make this process easier, you can use a modified "redhat-rpm-config" package from http://people.fedoraproject.org/~halfie/artifacts/redhat-rpm-config/ URL. $ sha256sum redhat-rpm-config-9.1.0-56.fc20.* faad7594b2080fe76497d0ce50808c905a93dd7b41c1defdde5ca57e3833d3d2 redhat-rpm-config-9.1.0-56.fc20.noarch.rpm 5aa9357174305c7285ffdbc92d7ffe1c07a8a95d5459b930461308f5aad75413 redhat-rpm-config-9.1.0-56.fc20.src.rpm
FYI There is a related comment in grass-dev that "-Werror=format-security" flag should not be used along with '--without-nls' when configuring GRASS GIS: http://lists.osgeo.org/pipermail/grass-dev/2012-August/059157.html
Taking.
Created attachment 925470 [details] Patch to address -Werror=format-security issues This is the patch, I had mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=1106720 It is supposed to fix the issues triggered compiling grass w/ -Werror=format-security. Due to it's size, I am not expecting it to be bug-free and therefore would rather see the patch only be applied to rawhide und until some more confidence has been gained with it.
Hi Ralf, Have you talked with upstream about reviewing and accepting this patch?
(In reply to Dhiru Kholia from comment #6) > Hi Ralf, > > Have you talked with upstream about reviewing and accepting this patch? No, unfortunately I haven't found any time for doing, so yet, as well as I am having problems in accessing upstream's web-site (grass.drgeo.org has response times in the order of minutes from here) to dig out a bugreporting contact. But AFAICT, the markusN involved in the BZ is an upstream contributor.
The GRASS GIS butracker is at http://trac.osgeo.org/grass/ Please note there was a discussion last year about earlier attempts of patching GRASS GIS in this way: http://lists.osgeo.org/pipermail/grass-dev/2012-August/059157.html The other day I brought it up on grass-dev again in order to find an upstream solution. However, the best is to open an upstream ticket.
(In reply to markusN from comment #8) > The GRASS GIS butracker is at http://trac.osgeo.org/grass/ OK, I just tried to get a "GeoID", but ... ... I feel the grass site is in the same shape as the grass package itself (SCNR) ;) > Please note there was a discussion last year about earlier attempts of > patching GRASS GIS in this way: > > http://lists.osgeo.org/pipermail/grass-dev/2012-August/059157.html Well, I don't think this issue matters here. grass was failing with -Werror=format-security and --with-nls. I also tried building --without-nls and could not spot any problem. Note1: gcc -Werror=format-security emits quite a lot of bogus/false warnings/errors. IMO, adding -Werror=format-security into CFLAGS in Fedora is more harmful than useful.] Note2: I consider my patch to be a means of "emergeny" to keep this package in Fedora. Otherwise it probably would have to be removed. > The other day I brought it up on grass-dev again in order to find an > upstream solution. However, the best is to open an upstream ticket. Well, how, where? The grass web-site seems to do its best to fence out contributors ;)
(In reply to Ralf Corsepius from comment #9) > (In reply to markusN from comment #8) > > The GRASS GIS butracker is at http://trac.osgeo.org/grass/ > OK, I just tried to get a "GeoID", but ... > > ... I feel the grass site is in the same shape as the grass package itself > (SCNR) ;) Do you mean the OSGeo trac or our main site at http://grass.osgeo.org ? > > Please note there was a discussion last year about earlier attempts of > > patching GRASS GIS in this way: > > > > http://lists.osgeo.org/pipermail/grass-dev/2012-August/059157.html > Well, I don't think this issue matters here. grass was failing with > -Werror=format-security and --with-nls. > > I also tried building --without-nls and could not spot any problem. Exactly. We know that it fails with -Werror=format-security *and* --with-nls which is not necessarily a GRASS problem but moreover a gcc issue. > Note1: gcc -Werror=format-security emits quite a lot of bogus/false > warnings/errors. IMO, adding -Werror=format-security into CFLAGS in Fedora > is more harmful than useful.] Yes. > Note2: I consider my patch to be a means of "emergeny" to keep this package > in Fedora. Otherwise it probably would have to be removed. Thanks for that. However, we'll need to find a real solution. > > The other day I brought it up on grass-dev again in order to find an > > upstream solution. However, the best is to open an upstream ticket. > Well, how, where? The grass web-site seems to do its best to fence out > contributors ;) Please send your comments off-bugzilla to me, we are happy to improve it as needed but it is off-topic here (neteler AT osgeo.org).
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle. Changing version to '22'. More information and reason for this action is here: https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22
Fixed upstream in https://trac.osgeo.org/grass/changeset/66614 This will be shipped with GRASS GIS 7.0.2 shortly.
Partially fixed also in the older GRASS GIS 6.4.x release branch in https://trac.osgeo.org/grass/changeset/66616 This will be shipped with GRASS GIS 6.4.6 (not very soon though, since the official stable release is 7.0.x).
FTBFS is solved for Rawhide, thus closing.