1037075 – ga FTBFS if "-Werror=format-security" flag is used

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1037075 - ga FTBFS if "-Werror=format-security" flag is used

Summary: ga FTBFS if "-Werror=format-security" flag is used

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	ga
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	David Brown
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1038083 984605
TreeView+	depends on / blocked

Reported:	2013-12-03 03:04 UTC by Dhiru Kholia
Modified:	2014-03-27 13:16 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-03-26 15:32:00 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
start backporting to older Fedora/epel6 (4.96 KB, patch) 2014-02-28 12:38 UTC, marcindulak	no flags	Details \| Diff
View All

Description Dhiru Kholia 2013-12-03 03:04:23 UTC

Description of problem
----------------------

ga fails to build if "-Werror=format-security" flag is used.

...

ma/ma.c:1379:17: error: format not a string literal and no format arguments [-Werror=format-security]
ma/ma.c:1403:17: error: format not a string literal and no format arguments [-Werror=format-security]
ma/ma.c:1428:17: error: format not a string literal and no format arguments [-Werror=format-security]

...

We are working on a proposal to enable "-Werror=format-security" for all
packages. Once this flag is enabled, GCC will refuse to compile code that could
be vulnerable to a string format security flaw. For more details, please see
https://fedorahosted.org/fesco/ticket/1185 page.

To understand why it is important to fix this, please see
https://fedoraproject.org/wiki/Format-Security-FAQ page.

How to fix this
---------------

The fix for these errors is quite simple. It's a matter of changing a
line like,

printf(foo);

to read,

printf("%s", foo);

That's it.

Please fix this issue in rawhide with a patch (which you should submit
to upstream to merge moving forward). Please do a new build with the
fix in rawhide. Other releases do not need to be directly fixed, but
there should be no harm in pushing out this fix/patch with other needed
changes to those branches.

In the event you don't fix this bug before the next mass rebuild,
provenpackagers may step in and update your package(s) to fix this
issue.

How reproducible
----------------

Build ga-5.1.1-8.fc21.src.rpm with "-Werror=format-security" flag to reproduce the problem.

To make this process easier, you can use a modified "redhat-rpm-config" package
from http://people.fedoraproject.org/~halfie/artifacts/redhat-rpm-config/ URL.

$ sha256sum redhat-rpm-config-9.1.0-56.fc20.*
faad7594b2080fe76497d0ce50808c905a93dd7b41c1defdde5ca57e3833d3d2 redhat-rpm-config-9.1.0-56.fc20.noarch.rpm
5aa9357174305c7285ffdbc92d7ffe1c07a8a95d5459b930461308f5aad75413 redhat-rpm-config-9.1.0-56.fc20.src.rpm

Comment 1 David Brown 2014-01-14 21:48:23 UTC

So does rawhide have this enabled by default yet? (or) How can I run mock locally to make sure its fixed?

I'm currently on Fedora 20.

Comment 2 marcindulak 2014-01-25 17:01:36 UTC

For example:
mock -r fedora-rawhide-i386 --rebuild ./ga-5.1.1-8.fc21.src.rpm
See http://fedoraproject.org/wiki/Using_Mock_to_test_package_builds
Or use koji (see http://fedoraproject.org/wiki/Using_the_Koji_build_system), e.g.:
koji build --scratch --arch-override i686 rawhide ./ga-5.1.1-8.fc21.src.rpm

Comment 3 David Brown 2014-01-27 18:59:52 UTC

Okay I think I have a build for rawhide that works.

Task Info: http://koji.fedoraproject.org/koji/taskinfo?taskID=6460192
Build Info: http://koji.fedoraproject.org/koji/buildinfo?buildID=494200

I'm currently backporting to f20/epel5/epel6.

Comment 4 marcindulak 2014-02-28 12:38:09 UTC

Created attachment 869017 [details]
start backporting to older Fedora/epel6

Trying to build for epel5 (with a trivially modified spec) fails - see http://koji.fedoraproject.org/koji/taskinfo?taskID=6579813
Use the patch as a starting point. Note that in order to link nwchem against ga i enabled configure --enable-peigs.

Comment 5 David Brown 2014-02-28 22:21:43 UTC

Marcin,

I'll take a look at the patch for the spec.

How did you approach ripping out the GA parts of the NWChem build? Would it be easier if I included some of the makefiles generated by GA in the devel packages? This way you could include them as part of the build of NWChem? Did you make the openmpi nwchem use ibverbs?

Also, depending on how far you want to go, I think the upstream NWChem guys would be receptive to autotooling the NWChem build. They just don't have the money or time to make that happen here at PNNL. I can help facilitate patches to the primary developers here at PNNL to include NWChem in EPEL or Fedora with a proper build system as well.

Comment 6 marcindulak 2014-03-01 12:29:02 UTC

(In reply to David Brown from comment #5)
> Marcin,
> 
> I'll take a look at the patch for the spec.
> 
> How did you approach ripping out the GA parts of the NWChem build?

for the moment i do:

# remove bundling of GA
rm -rf src/tools
sed -i "/^include.*makecoms\.h/d" src/GNUmakefile
sed -i "/^include.*makemp\.h/d" src/GNUmakefile
sed -i "/.*-C tools configure_ga$/d" src/GNUmakefile
sed -i "s/NW_CORE_SUBDIRS = tools/NW_CORE_SUBDIRS =/" src/config/makefile.h
sed -i "s|INCPATH =.*|INCPATH = -I\$(MPI_INCLUDE)|" src/config/makefile.h
sed -i "s|-lga -larmci|-L\$(MPI_LIB) -lga -larmci|" src/config/makefile.h

 Would it
> be easier if I included some of the makefiles generated by GA in the devel
> packages?

i hope one can just get rid completely of any GA related files when
building Nwchem - one needs to do that in the %prep section:
http://fedoraproject.org/wiki/Packaging:Treatment_Of_Bundled_Libraries#Packages_with_Bundled_Libraries

 This way you could include them as part of the build of NWChem?
> Did you make the openmpi nwchem use ibverbs?

no, i do a standard linking to openmpi.
Building GA --with-openib is actually a concern of Nwchem developers:
http://www.nwchem-sw.org/index.php/Special:AWCforum/st/id1164/Building_Nwchem_against_a_separa....html

> 
> Also, depending on how far you want to go, I think the upstream NWChem guys
> would be receptive to autotooling the NWChem build. They just don't have the
> money or time to make that happen here at PNNL. I can help facilitate
> patches to the primary developers here at PNNL to include NWChem in EPEL or
> Fedora with a proper build system as well.

for the moment my priority is to get few more packages into Fedora.
Changing the build system of Nwchem would be a large task.

Comment 8 marcindulak 2014-03-26 13:05:57 UTC

Hi, any progress about the patch?

Comment 9 David Brown 2014-03-26 15:32:00 UTC

Marcin,

The GA package is patched and has a build for Fedora 21.

http://koji.fedoraproject.org/koji/buildinfo?buildID=500173

So I think it means its fixed now. Just wanted to wait until the mirrors got the right version out there and forgot to close it.

Comment 10 marcindulak 2014-03-27 13:16:05 UTC

OK. I have opened two separate bugs that deal with the patch: bug #1081403 and bug #1081404

Note You need to log in before you can comment on or make changes to this bug.