Enabling "-Werror=format-security" by default

[Alexander Bokovoy]

On Wed, 20 Nov 2013, Dhiru Kholia wrote:
>Hi,
>
>We are working on a proposal to enable "-Werror=format-security"
>compilation flag for all packages in Fedora.
>
>Once this flag is enabled, GCC will refuse to compile code that could be
>vulnerable to a string format security flaw. For more details, please
>see https://fedorahosted.org/fesco/ticket/1185 page.
>
>Enabling this option eliminates an entire class of security issues! To
>further understand why it is important to fix such bugs, please see
>https://fedoraproject.org/wiki/Format-Security-FAQ page.
>
>Currently, around 400 packages FTBFS if this flag is enabled. I am all
>set to start filing the bugs (once given the green signal). In addition,
>I am willing to help in patching these packages. I believe that this
>work is important and will benefit everyone (including upstream and
>other distributions).
>
>I am attaching a sample Bugzilla bug report - this is what the actual
>bug reports will look like.
I think these reports are misleading, at least in FreeIPA case.
freeipa-3.3.1-2.fc21.src.rpm/build.log:ipa_enrollment.c:320:5: error: format not a string literal and no format arguments [-Werror=format-security]
freeipa-3.3.1-2.fc21.src.rpm/build.log:ipa_enrollment.c:347:9: error: format not a string literal and no format arguments [-Werror=format-security]
freeipa-3.3.1-2.fc21.src.rpm/build.log:ipa_enrollment.c:360:5: error: format not a string literal and no format arguments [-Werror=format-security]

All three cases are dealing with following lines:
    LOG("%s", errMesg ? errMesg : "success\n");
    LOG("%s", errMesg);
    LOG("%s", errMesg);

where LOG macro expands to 
    slapi_log_error(SLAPI_LOG_PLUGIN, NAME, format, arguments ... );

(SLAPI_LOG_PLUGIN and NAME are constants)

as you can see, in all these cases format *is* a string literal and
there are exact format arguments passed.

-- 
/ Alexander Bokovoy