Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1025257 - vorbis-tools FTBFS if "-Werror=format-security" flag is used
Summary: vorbis-tools FTBFS if "-Werror=format-security" flag is used
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: vorbis-tools
Version: rawhide
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
Assignee: Kamil Dudka
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1037378 1107110 (view as bug list)
Depends On:
Blocks: F21FTBFS
TreeView+ depends on / blocked
 
Reported: 2013-10-31 10:33 UTC by Dhiru Kholia
Modified: 2014-06-10 09:25 UTC (History)
6 users (show)

Fixed In Version: vorbis-tools-1.4.0-14.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-10 09:25:45 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
introduction of a new bug (1.17 KB, patch)
2014-06-03 15:52 UTC, Marcin Juszkiewicz 		kdudka: review-
Details | Diff
View All

Description Dhiru Kholia 2013-10-31 10:33:23 UTC 
vorbis-tools-1.4.0-12.fc21 FTBFS if "-Werror=format-security" flag is used.

..
status.c: In function ‘print_statistics_line’:
status.c:151:7: error: format not a string literal and no format arguments [-Werror=format-security]
       len += sprintf(str+len, stats->formatstr);

I am working on a proposal to enable "-Werror=format-security" for all packages. For more details, please see https://fedorahosted.org/fesco/ticket/1185 URL.
Comment 1 Kamil Dudka 2013-10-31 17:11:53 UTC 
I fully understand that the coding style of vorbis-tools does not match your preference.  However, the format string is never ever read from outside, so how are you confirming there is a real issue with the resulting binary packages?
Comment 2 Dhiru Kholia 2013-11-01 04:56:44 UTC 
Well, it is not my personal coding style. It is a coding style which "Werror=format-security" likes to see.

There is no real security issue here (as you figured out) but it would be nice to see upstream adopting some "good" practices.
Comment 3 Kamil Dudka 2013-11-01 10:34:33 UTC 
Two months ago I sent a one-line patch fixing real issue (that can be seen as a security issue) to the upstream mailing-list with no interest so far:

http://lists.xiph.org/pipermail/vorbis-dev/2013-September/020345.html

I am afraid that sending them patches to just improve the coding style is not going to attract more interest...

The warning as it is implemented now just warns about poor coding style, which does not necessarily imply an error.  Hence, it should really be treated as a warning, not as error.
Comment 4 Kamil Dudka 2013-12-03 07:58:56 UTC 
*** Bug 1037378 has been marked as a duplicate of this bug. ***
Comment 5 Marcin Juszkiewicz 2014-06-03 15:52:15 UTC 
Created attachment 901847 [details]
introduction of a new bug
Comment 6 Marcin Juszkiewicz 2014-06-03 15:56:58 UTC 
Reported upstream: https://trac.xiph.org/ticket/2025
Comment 7 Kamil Dudka 2014-06-03 19:48:33 UTC 
Comment on attachment 901847 [details]
introduction of a new bug

This is not going to work because stats->formatstr needs to be treated as format, not as just string to be printed (with unconverted conversions inside).  In order to fix it, you need to write a bigger patch.
Comment 8 Kamil Dudka 2014-06-09 20:56:18 UTC 
*** Bug 1107110 has been marked as a duplicate of this bug. ***
Comment 9 Kamil Dudka 2014-06-10 09:25:45 UTC 
fixed in vorbis-tools-1.4.0-14.fc21
Note You need to log in before you can comment on or make changes to this bug.