Enabling "-Werror=format-security" by default

Dhiru Kholia dhiru.kholia at gmail.com
Wed Nov 20 15:57:39 UTC 2013 

Hi,

We are working on a proposal to enable "-Werror=format-security"
compilation flag for all packages in Fedora.

Once this flag is enabled, GCC will refuse to compile code that could be
vulnerable to a string format security flaw. For more details, please
see https://fedorahosted.org/fesco/ticket/1185 page.

Enabling this option eliminates an entire class of security issues! To
further understand why it is important to fix such bugs, please see
https://fedoraproject.org/wiki/Format-Security-FAQ page.

Currently, around 400 packages FTBFS if this flag is enabled. I am all
set to start filing the bugs (once given the green signal). In addition,
I am willing to help in patching these packages. I believe that this
work is important and will benefit everyone (including upstream and
other distributions).

I am attaching a sample Bugzilla bug report - this is what the actual
bug reports will look like.

--
Dhiru
-------------- next part --------------
Summary: grass FTBFS if "-Werror=format-security" flag is used

Description of problem:

grass fails to build if "-Werror=format-security" flag is used.

...

a2b.c:103:3: error: format not a string literal and no format arguments [-Werror=format-security]
a2b.c:136:3: error: format not a string literal and no format arguments [-Werror=format-security]
a2b.c:154:3: error: format not a string literal and no format arguments [-Werror=format-security]
a2b.c:172:6: error: format not a string literal and no format arguments [-Werror=format-security]


We are working on a proposal to enable "-Werror=format-security" for all
packages. For more details, please see https://fedorahosted.org/fesco/ticket/1185 page.

To understand why it is important to fix such bugs, please see
https://fedoraproject.org/wiki/Format-Security-FAQ page.

How reproducible:

Build grass-6.4.3-5.fc21.src.rpm with "-Werror=format-security" flag to reproduce the problem.

To make this process easier, you can use a modified "redhat-rpm-config" package
from http://people.fedoraproject.org/~halfie/artifacts/redhat-rpm-config/ URL.

$ sha256sum redhat-rpm-config-9.1.0-56.fc20.*
faad7594b2080fe76497d0ce50808c905a93dd7b41c1defdde5ca57e3833d3d2  redhat-rpm-config-9.1.0-56.fc20.noarch.rpm
5aa9357174305c7285ffdbc92d7ffe1c07a8a95d5459b930461308f5aad75413  redhat-rpm-config-9.1.0-56.fc20.src.rpm

More information about the devel mailing list