[glade2] use string literals as format strings (#1037088)

Tue Dec 3 10:06:18 UTC 2013

commit db5b48aea1a597a28039e5a3221088e19a54d42a
Author: Nils Philippsen <nils at redhat.com>
Date:   Tue Dec 3 11:05:53 2013 +0100

    use string literals as format strings (#1037088)

 glade-2.12.2-format-security.patch |   33 +++++++++++++++++++++++++++++++++
 glade2.spec                        |    8 +++++++-
 2 files changed, 40 insertions(+), 1 deletions(-)
---

diff --git a/glade-2.12.2-format-security.patch b/glade-2.12.2-format-security.patch
new file mode 100644
index 0000000..a7242bb
--- /dev/null
+++ b/glade-2.12.2-format-security.patch
@@ -0,0 +1,33 @@
+diff -up glade-2.12.2/glade/main.c.format-security glade-2.12.2/glade/main.c
+--- glade-2.12.2/glade/main.c.format-security	2007-12-08 23:56:06.000000000 +0100
++++ glade-2.12.2/glade/main.c	2013-12-03 10:44:16.101618735 +0100
+@@ -514,7 +514,7 @@ glade_write_session_files (GnomeClient *
+   error = glade_util_ensure_directory_exists (session_dir_utf8);
+   if (error)
+     {
+-      fprintf (stderr, error->message);
++      fprintf (stderr, "%s", error->message);
+       glade_error_free (error);
+       goto out;
+     }
+@@ -525,7 +525,7 @@ glade_write_session_files (GnomeClient *
+   GladeSessionFile = NULL;
+   if (error)
+     {
+-      fprintf (stderr, error->message);
++      fprintf (stderr, "%s", error->message);
+       glade_error_free (error);
+     }
+ 
+diff -up glade-2.12.2/glade/source.c.format-security glade-2.12.2/glade/source.c
+--- glade-2.12.2/glade/source.c.format-security	2007-12-08 23:56:06.000000000 +0100
++++ glade-2.12.2/glade/source.c	2013-12-03 10:46:40.583077353 +0100
+@@ -2454,7 +2454,7 @@ source_ensure_decl	(GbWidgetWriteSourceD
+ 			 const gchar		 *decl)
+ {
+   if (!glade_util_strstr (data->source_buffers[GLADE_DECLARATIONS]->str, decl))
+-    source_add_decl (data, decl);
++    source_add_decl (data, "%s", decl);
+ }
+ 
+ 
diff --git a/glade2.spec b/glade2.spec
index 7e49c97..434190e 100644
--- a/glade2.spec
+++ b/glade2.spec
@@ -3,13 +3,15 @@
 Summary:        User Interface Designer for GTK+ 2, legacy version
 Name:           glade2
 Version:        2.12.2
-Release:        16%{?dist}
+Release:        17%{?dist}
 License:        GPLv2+ and GFDL
 URL:            http://glade.gnome.org/
 Source:         http://download.gnome.org/sources/glade/2.12/glade-%{version}.tar.bz2
 # Fedora specific patches
 Patch0:         gnome-i18n.patch
 Patch1:         gtk-includes.patch
+# https://fedoraproject.org/wiki/Format-Security-FAQ
+Patch2:         glade-2.12.2-format-security.patch
 Group:          Development/Tools
 
 BuildRequires: glib2-devel 
@@ -40,6 +42,7 @@ the XML interface description files output by GLADE.
 %setup -q -n glade-%{version}
 %patch0 -p1 -b .gnome-i18n
 %patch1 -p1 -b .gtk-includes
+%patch2 -p1 -b .format-security
 
 # Fix the warnings from desktop-file-install 
 sed -i 's|Icon=glade-2.png|Icon=glade-2|g' glade-2.desktop.in
@@ -70,6 +73,9 @@ rm -rf $RPM_BUILD_ROOT/var/scrollkeeper
 %{_bindir}/*
 
 %changelog
+* Tue Dec 03 2013 Nils Philippsen <nils at redhat.com> - 2.12.2-17
+- use string literals as format strings (#1037088)
+
 * Thu Aug 15 2013 Nils Philippsen <nils at redhat.com> - 2.12.2-16
 - don't require bonobo-activation-devel for building (#992382)
 
