Bug 339364

Summary:	sci-mathematics/scilab-4.1.2-r3 _FORTIFY_SOURCE indicates presence of overflow
Product:	Gentoo Linux	Reporter:	Diego Elio Pettenò (RETIRED) <flameeyes>
Component:	New packages	Assignee:	Gentoo Science Mathematics related packages <sci-mathematics>
Status:	RESOLVED WONTFIX
Severity:	normal	CC:	bircoph, djcozatt, hardened, kripton, tomka, treecleaner
Priority:	Normal	Keywords:	PMASKED
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	Pending Removal: 2012-12-24
Package list:		Runtime testing required:	---
Bug Depends on:	237572
Bug Blocks:	259417
Attachments:	Build log

Description Diego Elio Pettenò (RETIRED) gentoo-dev

2010-10-01 15:36:38 UTC

You're receiving this bug because the package in Summary has produced _FORTIFY_SOURCE related warnings indicating the presence of a sure overflow in a static buffer.

Even though this is not always an indication of a security problem it might even be. So please check this out ASAP.

By the way, _FORTIFY_SOURCE is disabled when you disable optimisation, so don't try finding out the cause using -O0.

Thanks,
Your friendly neighborhood tinderboxer

Comment 1 Diego Elio Pettenò (RETIRED) gentoo-dev

2010-10-01 15:37:35 UTC

Created attachment 249185 [details]
Build log

Comment 2 David J Cozatt 2010-10-02 15:59:25 UTC

This package shows overflow issues and is very out of date. http://bugs.gentoo.org/show_bug.cgi?id=237572 shows an active overlay version of the package 

The upstream stable branch is currently 5.2.2 please remove this one from the tree and 
add a stable package to testing status for all architectures?

From flameeyes build log

gcc -O2 -pipe   -I/usr/include -I/usr/include   -c -o intgget.o intgget.c
In file included from /usr/include/string.h:642:0,
                 from intgget.h:9,
                 from intgget.c:6:
In function ‘strcpy’,
    inlined from ‘sciGet’ at intgget.c:749:19:
/usr/include/bits/string3.h:107:3: warning: call to __builtin___strcpy_chk will always overflow destination buffer
gcc -O2 -pipe   -I/usr/include -I/usr/include   -c -o intgset.o intgset.c
gcc -O2 -pipe   -I/usr/include -I/usr/include   -c -o intshowalluimenushandles.o intshowalluimenushandles.c
gcc -O2 -pipe   -I/usr/include -I/usr/include   -c -o IsEqualVar.o IsEqualVar.c
gfortran -O2 -pipe  -c -o lstelm.o lstelm.f
gfortran -O2 -pipe  -c -o lstelmi.o lstelmi.f
gfortran -O2 -pipe  -c -o matelm.o matelm.f
matelm.f:5094.21:

            do i = 1, dlamch('n') - 1                                   
                     1
Warning: Deleted feature: End expression in DO loop at (1) must be integer
gfortran -O2 -pipe  -c -o matold.o matold.f

Creation of ../../libs/metanet.a
make[2]: Leaving directory `/var/tmp/portage/sci-mathematics/scilab-4.1.2-r2/work/scilab-4.1.2/routines/metanet'
making all in routines/optim...
make[2]: Entering directory `/var/tmp/portage/sci-mathematics/scilab-4.1.2-r2/work/scilab-4.1.2/routines/optim'
gcc -O2 -pipe    -c -o sp.o sp.c
In file included from /usr/include/stdio.h:930:0,
                 from sp.c:14:
In function ‘sprintf’,
    inlined from ‘sp’ at sp.c:546:18:
/usr/include/bits/stdio2.h:34:3: warning: call to __builtin___sprintf_chk will always overflow destination buffer
gfortran -O2 -pipe  -c -o ajour.o ajour.f

gcc -O2 -pipe   -I/usr/include -I/usr/include   -c -o wf_f_util.o wf_f_util.c
wf_f_util.c: In function ‘get_directory’:
wf_f_util.c:84:5: warning: ‘getwd’ is deprecated (declared at /usr/include/bits/unistd.h:222)
In file included from /usr/include/unistd.h:1157:0,
                 from /usr/include/X11/Xos.h:89,
                 from wf_fig.h:67,
                 from wf_f_util.c:17:
In function ‘getwd’,
    inlined from ‘get_directory’ at wf_f_util.c:84:14:
/usr/include/bits/unistd.h:226:3: warning: call to ‘__getwd_warn’ declared with attribute warning: please use getcwd instead, as getwd doesn't specify buffer size
gcc -O2 -pipe   -I/usr/include -I/usr/include   -c -o wf_f_read.o wf_f_read.c

* QA Notice: Package has poor programming practices which may compile
 *            fine but exhibit random runtime failures.
 * /usr/include/bits/string3.h:107:3: warning: call to __builtin___strcpy_chk will always overflow destination buffer
 * /usr/include/bits/stdio2.h:34:3: warning: call to __builtin___sprintf_chk will always overflow destination buffer

 * Please do not file a Gentoo bug and instead report the above QA
 * issues directly to the upstream developers of this software.
 * Homepage: http://www.scilab.org/
 * To tell Scilab about your printers, set the environment
 * variable PRINTERS in the form:
 * 
 * PRINTERS="firstPrinter:secondPrinter:anotherPrinter"

Comment 3 Thomas Kahle (RETIRED) gentoo-dev

2010-10-02 16:35:21 UTC

Forget about this version, it is from the stoneage and will be removed soon. 
We are working on a new scilab ebuild in bug 237572 and the science overlay.

Comment 4 Pacho Ramos gentoo-dev

2012-10-06 11:49:39 UTC

Any news here? If you are not able to move latest versions from overlay to the tree, maybe we should treeclean this and point people to use overlay (like was done some months ago with other hard to maintain sci package)

Comment 5 Andrew Savchenko gentoo-dev

2012-11-25 15:59:03 UTC

Hello,

Pacho, at this moment you masked the whole package instead of <scilab-5 versions. This leads to overlay versions being blocked as well. (Of course I can unmask package manually, but this is another story.)

Comment 6 Pacho Ramos gentoo-dev

2012-11-25 23:20:53 UTC

(In reply to comment #5)
> Hello,
> 
> Pacho, at this moment you masked the whole package instead of <scilab-5
> versions. This leads to overlay versions being blocked as well. (Of course I
> can unmask package manually, but this is another story.)

+  25 Nov 2012; Pacho Ramos <pacho@gentoo.org> package.mask:
+  Previous scilab mask entry also masks overlay versions by error
+

Thanks for noticing!

Comment 7 Pacho Ramos gentoo-dev

2012-12-25 13:19:53 UTC

dropped from the tree, use sci overlay versions instead