Hi,
I'm trying to build a package for resubmission. However it fails with
messages like that
In file included from ./include/UpTools/UpLog.h:77,
from UpLog.cc:46:
UpLog.cc: In function 'void upOpenLogFileInternal(const char*, int, const
char*, int, int (*)(char*))':
./include/UpTools/UpLog.inl:63:30: error: format not a string literal and
no format arguments [-Werror=format-security]
63 | syslog(level, __VA_ARGS__ ); \
| ^
End of message
The line in the code is:
n += snprintf(logbuf+n,MAXLOGLINE-1-n, __VA_ARGS__ ); \
And also this warning:
UpLog.cc: In function 'void upOpenLogInternal(const char*, int, int, int)':
./include/UpTools/UpLog.inl:69:11: warning: ignoring return value of
'ssize_t write(int, const void*, size_t)' declared with attribute
'warn_unused_result' [-Wunused-result]
69 | ::write(upLogFd,logbuf,n); \
| ~~~~~~~^~~~~~~~~~~~~~~~~~
./include/UpTools/UpLog.h:115:26: note: in expansion of macro '_UPLOG_'
115 | #define UPLOG(level,...) _UPLOG_(level, __VA_ARGS__ )
End of message
The line in the code is :
if(upLogPerror) ::write(2,logbuf,n); \
Regarding to " format not a string literal and no format arguments
[-Werror=format-security]" message.
Afaik instructions of kind printf(format,var1,var2,...) always be fail,
since it can't verify in compile time that the format includes the number
of variables that appears later.
If the developer does not use entered formats by the user, the exploit
disappear, doesn't it?
So the question is: in this case I can override the Fedora compiler flags?
Thanks in advance!
--
--
Sergio Belkin
LPIC-2 Certified -
http://www.lpi.org