Summary: | x11-libs/motif fails to compile with format-security | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Agostino Sarubbo <ago> |
Component: | Current packages | Assignee: | Ulrich Müller <ulm> |
Status: | RESOLVED INVALID | ||
Severity: | normal | CC: | eschwartz93, pacho, toralf |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 713576, 259417 | ||
Attachments: | motif-2.3.4-r2:20140825-210538.log |
Description
Agostino Sarubbo
2014-08-26 10:40:27 UTC
Created attachment 383664 [details]
motif-2.3.4-r2:20140825-210538.log
build log
Can you also report this upstream, please? These are false positives. Looking at the lines where the warning is reported, they are all of the form (e.g. line 267 in lib/Mrm/Mrmhier.c): sprintf (err_stg, _MrmMMsg_0113); The messages are defined in lib/Mrm/MrmMessages.c, for example: externaldef(mrmmsg) _MrmConst char *_MrmMsg_0113 = "Could not open buffer - UID version mismatch"; This looks like a perfect string literal to me, therefore no security issue that should be warned about. are you sure? take a look at: http://bugs.motifzone.net/show_bug.cgi?id=1574 In the patch attached to the upstream bug I still see only false positives. There is not a single instance of a format string from untrusted input. ok, the point is: - atm motif fails to compile with format-security but maybe they are false positive. - We are not here to monitoring the motif code, but tomorrow we could have a format-security from untrusted input. So if you fix it now, we can track other future problems. -If you don't fix it I just avoid to compile it with format-security in the future. I can apply a patch that has been accepted upstream. However, I won't locally patch perfectly working code (and risk introducing real bugs), only to work around deficiencies in gcc's error reporting. Alternatively, we could filter the flag in the motif ebuild. *** Bug 714080 has been marked as a duplicate of this bug. *** |