Bug 336603

Summary:	games-roguelike/scourge _FORTIFY_SOURCE indicates presence of overflow
Product:	Gentoo Linux	Reporter:	Diego Elio Pettenò (RETIRED) <flameeyes>
Component:	[OLD] Games	Assignee:	Gentoo Games <games>
Status:	RESOLVED FIXED
Severity:	normal	CC:	hardened
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	259417
Attachments:	Build log Patch to scourge-0.21.1.ebuild to add a sed to fix the overflow

Description Diego Elio Pettenò (RETIRED) gentoo-dev

2010-09-09 14:45:03 UTC

You're receiving this bug because the package in Summary has produced _FORTIFY_SOURCE related warnings indicating the presence of a sure overflow in a static buffer.

Even though this is not always an indication of a security problem it might even be. So please check this out ASAP.

By the way, _FORTIFY_SOURCE is disabled when you disable optimisation, so don't try finding out the cause using -O0.

Thanks,
Your friendly neighborhood tinderboxer

Comment 1 Diego Elio Pettenò (RETIRED) gentoo-dev

2010-09-09 14:45:21 UTC

Created attachment 246599 [details]
Build log

Comment 2 Kevin Pyle 2010-09-11 05:23:38 UTC

Created attachment 246798 [details, diff]
Patch to scourge-0.21.1.ebuild to add a sed to fix the overflow

The upstream code declares char tmp[255], then tells snprintf that the buffer is 256 characters long.  The sed fixes it to use sizeof(tmp) in the call to snprintf.

Comment 3 Mr. Bones. (RETIRED) gentoo-dev

2010-09-11 06:58:18 UTC

Fixed in portage.  Thanks for the patch.