Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 340909

Summary: games-action/trackballs _FORTIFY_SOURCE indicates presence of overflow
Product: Gentoo Linux Reporter: Diego Elio Pettenò (RETIRED) <flameeyes>
Component: [OLD] GamesAssignee: Gentoo Games <games>
Severity: major CC: hardened
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 259417    
Attachments: Build log
Patch to trackballs-1.1.4.ebuild to fix _FORTIFY_SOURCE issue and snprintf non-literal format issues

Description Diego Elio Pettenò (RETIRED) gentoo-dev 2010-10-14 01:08:37 UTC
You're receiving this bug because the package in Summary has produced _FORTIFY_SOURCE related warnings indicating the presence of a sure overflow in a static buffer.

Even though this is not always an indication of a security problem it might even be. So please check this out ASAP.

By the way, _FORTIFY_SOURCE is disabled when you disable optimisation, so don't try finding out the cause using -O0.

Your friendly neighborhood tinderboxer
Comment 1 Diego Elio Pettenò (RETIRED) gentoo-dev 2010-10-14 01:08:59 UTC
Created attachment 250511 [details]
Build log
Comment 2 Kevin Pyle 2010-10-14 03:55:03 UTC
Created attachment 250519 [details, diff]
Patch to trackballs-1.1.4.ebuild to fix _FORTIFY_SOURCE issue and snprintf non-literal format issues

This adds sed statements to fix the following upstream issues:

- Use of wrong variable in a sizeof() in src/ caused a _FORTIFY_SOURCE warning.
- Use of non-literal with no format arguments in src/ and src/  This has the potential to cause the program to dereference invalid pointers or otherwise generate unwanted strings.  In the worst case, use of a %n would cause glibc to abort the program as a security precaution.  The sed calls convert from:

  snprintf(X, sizeof(X), VAR)


  snprintf(X, sizeof(X), "%s", VAR)

This should produce equivalent behavior in the normal case where no format escapes were used, and will prevent misbehavior in the bad case where a format escape is introduced.
Comment 3 Mr. Bones. (RETIRED) gentoo-dev 2010-10-14 04:40:48 UTC
In portage.