Enabling "-Werror=format-security" by default
Dhiru Kholia
dhiru.kholia at gmail.com
Wed Nov 20 15:57:39 UTC 2013
Hi,
We are working on a proposal to enable "-Werror=format-security"
compilation flag for all packages in Fedora.
Once this flag is enabled, GCC will refuse to compile code that could be
vulnerable to a string format security flaw. For more details, please
see https://fedorahosted.org/fesco/ticket/1185 page.
Enabling this option eliminates an entire class of security issues! To
further understand why it is important to fix such bugs, please see
https://fedoraproject.org/wiki/Format-Security-FAQ page.
Currently, around 400 packages FTBFS if this flag is enabled. I am all
set to start filing the bugs (once given the green signal). In addition,
I am willing to help in patching these packages. I believe that this
work is important and will benefit everyone (including upstream and
other distributions).
I am attaching a sample Bugzilla bug report - this is what the actual
bug reports will look like.
--
Dhiru
-------------- next part --------------
Summary: grass FTBFS if "-Werror=format-security" flag is used
Description of problem:
grass fails to build if "-Werror=format-security" flag is used.
...
a2b.c:103:3: error: format not a string literal and no format arguments [-Werror=format-security]
a2b.c:136:3: error: format not a string literal and no format arguments [-Werror=format-security]
a2b.c:154:3: error: format not a string literal and no format arguments [-Werror=format-security]
a2b.c:172:6: error: format not a string literal and no format arguments [-Werror=format-security]
We are working on a proposal to enable "-Werror=format-security" for all
packages. For more details, please see https://fedorahosted.org/fesco/ticket/1185 page.
To understand why it is important to fix such bugs, please see
https://fedoraproject.org/wiki/Format-Security-FAQ page.
How reproducible:
Build grass-6.4.3-5.fc21.src.rpm with "-Werror=format-security" flag to reproduce the problem.
To make this process easier, you can use a modified "redhat-rpm-config" package
from http://people.fedoraproject.org/~halfie/artifacts/redhat-rpm-config/ URL.
$ sha256sum redhat-rpm-config-9.1.0-56.fc20.*
faad7594b2080fe76497d0ce50808c905a93dd7b41c1defdde5ca57e3833d3d2 redhat-rpm-config-9.1.0-56.fc20.noarch.rpm
5aa9357174305c7285ffdbc92d7ffe1c07a8a95d5459b930461308f5aad75413 redhat-rpm-config-9.1.0-56.fc20.src.rpm
More information about the devel
mailing list