Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 520308

Summary: sys-process/numad-0.5-r1 - numad.c:174:5: error: format not a string literal and no format arguments [-Werror=format-security]
Product: Gentoo Linux Reporter: Agostino Sarubbo <ago>
Component: [OLD] Core systemAssignee: Gentoo's Team for Core System packages <base-system>
Severity: normal CC: 89q1r14hd, cardoe, sam, tb
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 713576, 259417    
Attachments: numad-0.5-r1:20140820-103146.log

Description Agostino Sarubbo gentoo-dev 2014-08-20 10:35:08 UTC
This is an auto-filled bug because this package fails to compile with format-security. To reproduce use CFLAGS -Werror=format-security.

ortage 2.2.8-r1 (default/linux/amd64/13.0, gcc-4.7.3, glibc-2.19-r1, 3.2.61-hardened-r2-xxxx-std-ipv6-64 x86_64)
System uname: Linux-3.2.61-hardened-r2-xxxx-std-ipv6-64-x86_64-Intel-R-_Xeon-R-_CPU_E3-1245_V2_@_3.40GHz-with-gentoo-2.2
KiB Mem:    32857344 total,  21548488 free
KiB Swap:          0 total,         0 free
ld ld di GNU (Gentoo 2.23.2 p1.0) 2.23.2
app-shells/bash:          4.2_p45
dev-java/java-config:     2.2.0
dev-lang/python:          2.7.7, 3.2.5-r6, 3.3.5-r1
dev-util/pkgconfig:       0.28-r1
sys-apps/baselayout:      2.2
sys-apps/openrc:          0.12.4
sys-apps/sandbox:         2.6-r1
sys-devel/autoconf:       2.13, 2.69
sys-devel/automake:       1.13.4
sys-devel/binutils:       2.23.2
sys-devel/gcc:            4.7.3-r1
sys-devel/gcc-config:     1.7.3
sys-devel/libtool:        2.4.2-r1
sys-devel/make:           3.82-r4
sys-kernel/linux-headers: 3.13 (virtual/os-headers)
sys-libs/glibc:           2.19-r1
Repositories: gentoo x-portage
CFLAGS="-march=native -Wformat -Werror=format-security -g0 -O2"
CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/apache2-php5.4/ext-active/ 
/etc/php/apache2-php5.5/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cgi-php5.4/ext-active/ /etc/php/cgi-php5.5/ext-active/ /etc/php/cli-php5.3/ext-active/ 
/etc/php/cli-php5.4/ext-active/ /etc/php/cli-php5.5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d 
/etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-march=native -Wformat -Werror=format-security -g0 -O2"
EMERGE_DEFAULT_OPTS="--with-bdeps y --keep-going y -1"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs collision-protect config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync multilib-strict news parallel-fetch preserve-libs 
protect-owned sandbox sfperms sign split-log strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync"
FFLAGS="-O2 -pipe"
LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 
--exclude=/distfiles --exclude=/local --exclude=/packages"
USE="X acl amd64 berkdb bzip2 cairo cli consolekit cracklib crypt cxx dbus dri fortran gdbm gudev hwdb iconv icu ipv6 jpeg minizip mmx modules multilib ncurses nls nptl ogg openmp pam 
pax_kernel pcre png policykit python qt3support qt4 readline session sse sse2 ssl tcpd unicode vorbis zlib" ABI_X86="64" ELIBC="glibc" KERNEL="linux" 
LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="am fil zh af ca cs da de el es et gl hu nb nl pl pt ro ru sk sl sv uk bg cy en eo fo ga he id ku lt lv mk ms nn 
sw tn zu ja zh_TW en_GB pt_BR ko zh_CN ar en_CA fi kk oc sr tr fa wa nds as be bn bn_BD bn_IN en_US es_AR es_CL es_ES es_MX eu fy fy_NL ga_IE gu gu_IN hi hi_IN is ka kn ml mr nn_NO or 
pa pa_IN pt_PT rm si sq sv_SE ta ta_LK te th vi ast dz km my om sh ug uz ca@valencia sr@ijekavian sr@ijekavianlatin sr@latin csb hne mai se es_LA fr_CA zh_HK br la no es_CR et_EE 
sr_CS bo hsb hy mn sr@Latn lb ne bs tg uz@cyrillic xh be_BY brx ca_XV dgo en_ZA gd kok ks ky lo mni nr ns pap ps rw sa_IN sat sd ss st sw_TZ ti ts ve mt ia az me tl ak hy_AM lg nso 
son ur_PK it fr nb nb_NO hr nan ur tk cs_CZ da_DK de_1901 de_CH en_AU lt_LT pl_PL sa sk_SK th_TH ta_IN tt sco ha mi ven ar_SY el_GR ro_RO ru_RU sl_SI uk_UA vi_VN ar_SY te_IN de_DE 
es_VE fa_IR fr_FR hu_HU id_ID it_IT ja_JP ka_GE nl_NL sr_BA sr_RS ca_ES fi_FI he_IL jv ru_gold yi eu_ES" NGINX_MODULES_HTTP="access auth_basic autoindex browser charset empty_gif 
fastcgi geo gzip limit_conn limit_req map memcached proxy referer rewrite scgi split_clients ssi upstream_ip_hash userid uwsgi addition auth_pam cache_purge dav dav_ext degradation 
echo fancyindex flv geoip gunzip gzip_static headers_more image_filter lua metrics mp4 naxsi perl push push_stream random_index realip secure_link security slowfs_cache spdy 
stub_status sub upload_progress upstream_check xslt ajp auth_request mogilefs sticky" NGINX_MODULES_MAIL="imap pop3 smtp" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-4 
php5-5" PYTHON_SINGLE_TARGET="python2_7 python3_3" PYTHON_TARGETS="python2_7 python3_3" RUBY_TARGETS="ruby19 ruby20" USERLAND="GNU"
USE_PYTHON="2.7 3.3"
Comment 1 Agostino Sarubbo gentoo-dev 2014-08-20 10:35:09 UTC
Created attachment 383180 [details]

build log
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2014-08-20 11:04:15 UTC
Ago, you're doing this wrong. If you set your CFLAGS to /warn/ about format security, you catch all of them at once, while right now you're just catching the first one and then the build fails.
Comment 3 Agostino Sarubbo gentoo-dev 2014-08-20 15:37:05 UTC
(In reply to Jeroen Roovers from comment #2)
> Ago, you're doing this wrong. If you set your CFLAGS to /warn/ about format
> security, you catch all of them at once, while right now you're just
> catching the first one and then the build fails.

You are right, but I hope that the maintainer will recompile with format-security to check his fix and if there are more issues, he's able to see them
Comment 4 Doug Goldstein (RETIRED) gentoo-dev 2016-02-01 01:52:01 UTC
I'm inclined to remove this package from the tree. Upstream is pretty crummy. They do random code drops into git but develop this package outside of git.
Comment 5 SpanKY gentoo-dev 2016-02-01 17:37:05 UTC
-Werror=format-security bugs generally should go upstream, but they shouldn't impact a package on our side.  these auto-filed bugs aren't generally useful.
Comment 6 Doug Goldstein (RETIRED) gentoo-dev 2016-02-02 23:00:59 UTC
(In reply to SpanKY from comment #5)
> -Werror=format-security bugs generally should go upstream, but they
> shouldn't impact a package on our side.  these auto-filed bugs aren't
> generally useful.

So a follow up from the guy that does the commits into that package repo. He says he's not the developer or maintainer. The people that maintain numad refuse to use git and he's just the Fedora packager and he's committing into git the source as he gets it from the maintainers and he can't provide contain info for the actual maintainers.
Comment 7 SpanKY gentoo-dev 2016-02-03 01:41:07 UTC
(In reply to Doug Goldstein from comment #6)

i vaguely recall the redhat guys also track format-security bugs.  maybe file the bug in their bugzilla and see if that helps ? :)
Comment 8 Pacho Ramos gentoo-dev 2018-03-10 21:31:07 UTC
in Fedora and Debian they are using a newer git snapshot from 20150602, maybe that could help, for them it fixes this bug (and others)
Comment 9 Niklāvs Koļesņikovs 2022-06-19 13:09:33 UTC
This is still an ongoing issue. Should this issue not be re-opened and set to block bug #713576, so that it correctly shows up as a blocker in the current format-security tracking bug?
Comment 10 Larry the Git Cow gentoo-dev 2022-06-20 05:04:11 UTC
The bug has been closed via the following commit(s):

commit 4e3b9beabb52e2163a358da546e33b4634617fdd
Author:     Sam James <>
AuthorDate: 2022-06-20 03:20:37 +0000
Commit:     Sam James <>
CommitDate: 2022-06-20 05:03:49 +0000

    sys-process/numad: fix -Wformat-security
    Signed-off-by: Sam James <>

 .../numad/files/numad-0.5-wformat-security.patch   | 19 ++++++++
 sys-process/numad/numad-0.5-r4.ebuild              | 53 ++++++++++++++++++++++
 2 files changed, 72 insertions(+)