Bug 1037102 - grass FTBFS if "-Werror=format-security" flag is used
Summary: grass FTBFS if "-Werror=format-security" flag is used
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: grass
Version: 22
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Ralf Corsepius
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1038083 1106720
TreeView+ depends on / blocked
 
Reported: 2013-12-03 03:08 UTC by Dhiru Kholia
Modified: 2016-05-03 21:41 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-05-03 21:41:24 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
Patch to address -Werror=format-security issues (104.74 KB, patch)
2014-08-10 06:30 UTC, Ralf Corsepius
no flags Details | Diff

Description Dhiru Kholia 2013-12-03 03:08:31 UTC
Description of problem
----------------------

grass fails to build if "-Werror=format-security" flag is used.

...

a2b.c:103:3: error: format not a string literal and no format arguments [-Werror=format-security]
a2b.c:136:3: error: format not a string literal and no format arguments [-Werror=format-security]
a2b.c:154:3: error: format not a string literal and no format arguments [-Werror=format-security]
a2b.c:172:6: error: format not a string literal and no format arguments [-Werror=format-security]

...

We are working on a proposal to enable "-Werror=format-security" for all
packages. Once this flag is enabled, GCC will refuse to compile code that could
be vulnerable to a string format security flaw. For more details, please see
https://fedorahosted.org/fesco/ticket/1185 page.

To understand why it is important to fix this, please see
https://fedoraproject.org/wiki/Format-Security-FAQ page.

How to fix this
---------------

The fix for these errors is quite simple. It's a matter of changing a
line like,

   printf(foo);

to read,

   printf("%s", foo);

That's it.

Please fix this issue in rawhide with a patch (which you should submit
to upstream to merge moving forward). Please do a new build with the
fix in rawhide. Other releases do not need to be directly fixed, but
there should be no harm in pushing out this fix/patch with other needed
changes to those branches.

In the event you don't fix this bug before the next mass rebuild,
provenpackagers may step in and update your package(s) to fix this
issue.

How reproducible
----------------

Build grass-6.4.3-5.fc21.src.rpm with "-Werror=format-security" flag to reproduce the problem.

To make this process easier, you can use a modified "redhat-rpm-config" package
from http://people.fedoraproject.org/~halfie/artifacts/redhat-rpm-config/ URL.

$ sha256sum redhat-rpm-config-9.1.0-56.fc20.*
faad7594b2080fe76497d0ce50808c905a93dd7b41c1defdde5ca57e3833d3d2  redhat-rpm-config-9.1.0-56.fc20.noarch.rpm
5aa9357174305c7285ffdbc92d7ffe1c07a8a95d5459b930461308f5aad75413  redhat-rpm-config-9.1.0-56.fc20.src.rpm

Comment 1 markusN 2013-12-04 13:25:59 UTC
FYI

There is a related comment in grass-dev that "-Werror=format-security" flag
should not be used along with '--without-nls' when configuring GRASS GIS:

http://lists.osgeo.org/pipermail/grass-dev/2012-August/059157.html

Comment 3 Ralf Corsepius 2014-08-10 06:25:30 UTC
Taking.

Comment 4 Ralf Corsepius 2014-08-10 06:30:35 UTC
Created attachment 925470 [details]
Patch to address -Werror=format-security issues

This is the patch, I had mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=1106720

It is supposed to fix the issues triggered compiling grass w/ -Werror=format-security.

Due to it's size, I am not expecting it to be bug-free and therefore would rather see the patch only be applied to rawhide und until some more confidence has been gained with it.

Comment 5 Dhiru Kholia 2014-08-12 08:22:05 UTC
Hi Ralf,

Have you talked with upstream about reviewing and accepting this patch?

Comment 6 Dhiru Kholia 2014-08-12 08:22:09 UTC
Hi Ralf,

Have you talked with upstream about reviewing and accepting this patch?

Comment 7 Ralf Corsepius 2014-08-12 10:20:04 UTC
(In reply to Dhiru Kholia from comment #6)
> Hi Ralf,
> 
> Have you talked with upstream about reviewing and accepting this patch?
No, unfortunately I haven't found any time for doing, so yet, as well as I am having problems in accessing upstream's web-site (grass.drgeo.org has response times in the order of minutes from here) to dig out a bugreporting contact.

But AFAICT, the markusN involved in the BZ is an upstream contributor.

Comment 8 markusN 2014-08-12 10:36:14 UTC
The GRASS GIS butracker is at http://trac.osgeo.org/grass/

Please note there was a discussion last year about earlier attempts of
patching GRASS GIS in this way:

http://lists.osgeo.org/pipermail/grass-dev/2012-August/059157.html

The other day I brought it up on grass-dev again in order to find an
upstream solution. However, the best is to open an upstream ticket.

Comment 9 Ralf Corsepius 2014-08-12 10:50:51 UTC
(In reply to markusN from comment #8)
> The GRASS GIS butracker is at http://trac.osgeo.org/grass/
OK, I just tried to get a "GeoID", but ... 

... I feel the grass site is in the same shape as the grass package itself (SCNR) ;)

> Please note there was a discussion last year about earlier attempts of
> patching GRASS GIS in this way:
> 
> http://lists.osgeo.org/pipermail/grass-dev/2012-August/059157.html
Well, I don't think this issue matters here. grass was failing with -Werror=format-security and --with-nls.

I also tried building --without-nls and could not spot any problem.

Note1: gcc -Werror=format-security emits quite a lot of bogus/false warnings/errors. IMO, adding -Werror=format-security into CFLAGS in Fedora is more harmful than useful.]

Note2: I consider my patch to be a means of "emergeny" to keep this package in Fedora. Otherwise it probably would have to be removed.

> The other day I brought it up on grass-dev again in order to find an
> upstream solution. However, the best is to open an upstream ticket.
Well, how, where? The grass web-site seems to do its best to fence out contributors ;)

Comment 10 markusN 2014-08-12 19:19:55 UTC
(In reply to Ralf Corsepius from comment #9)
> (In reply to markusN from comment #8)
> > The GRASS GIS butracker is at http://trac.osgeo.org/grass/
> OK, I just tried to get a "GeoID", but ... 
> 
> ... I feel the grass site is in the same shape as the grass package itself
> (SCNR) ;)

Do you mean the OSGeo trac or our main site at http://grass.osgeo.org ?
 
> > Please note there was a discussion last year about earlier attempts of
> > patching GRASS GIS in this way:
> > 
> > http://lists.osgeo.org/pipermail/grass-dev/2012-August/059157.html
> Well, I don't think this issue matters here. grass was failing with
> -Werror=format-security and --with-nls.
> 
> I also tried building --without-nls and could not spot any problem.

Exactly. We know that it fails with -Werror=format-security *and* --with-nls which is not necessarily a GRASS problem but moreover a gcc issue.

> Note1: gcc -Werror=format-security emits quite a lot of bogus/false
> warnings/errors. IMO, adding -Werror=format-security into CFLAGS in Fedora
> is more harmful than useful.]

Yes.

> Note2: I consider my patch to be a means of "emergeny" to keep this package
> in Fedora. Otherwise it probably would have to be removed.

Thanks for that. However, we'll need to find a real solution.

> > The other day I brought it up on grass-dev again in order to find an
> > upstream solution. However, the best is to open an upstream ticket.
> Well, how, where? The grass web-site seems to do its best to fence out
> contributors ;)

Please send your comments off-bugzilla to me, we are happy to improve 
it as needed but it is off-topic here (neteler AT osgeo.org).

Comment 11 Jaroslav Reznik 2015-03-03 16:57:14 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle.
Changing version to '22'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22

Comment 12 markusN 2015-10-27 13:15:03 UTC
Fixed upstream in https://trac.osgeo.org/grass/changeset/66614

This will be shipped with GRASS GIS 7.0.2 shortly.

Comment 13 markusN 2015-10-27 14:17:51 UTC
Partially fixed also in the older GRASS GIS 6.4.x release branch in https://trac.osgeo.org/grass/changeset/66616

This will be shipped with GRASS GIS 6.4.6 (not very soon though, since the official stable release is 7.0.x).

Comment 14 Volker Fröhlich 2016-05-03 21:41:24 UTC
FTBFS is solved for Rawhide, thus closing.


Note You need to log in before you can comment on or make changes to this bug.