Bug#661539: libfile-mmagic-xs-perl: FTBFS with hardening flags enabled: -Werror=format-security

Niko Tyni ntyni at debian.org
Mon Mar 5 20:33:58 UTC 2012

tag 661539 patch

On Mon, Feb 27, 2012 at 09:38:48PM +0000, Dominic Hargreaves wrote:
> Source: libfile-mmagic-xs-perl
> Severity: normal
> Version: 0.09006-3
> User: debian-qa at lists.debian.org
> Usertags: hardening-format-security hardening
> With hardening flags enabled, this package FTBFS:
> src/perl-mmagic-xs.c: In function 'fmm_parse_magic_line':
> src/perl-mmagic-xs.c:930:9: error: format not a string literal and no format arguments [-Werror=format-security]

This can be triggered with

    $ perl -MFile::MMagic::XS -e 'File::MMagic::XS->new->add_magic("%s%s%s%s")'
    Segmentation fault (core dumped)

I can't see obvious security implications. A system that processes
untrusted magic(5) lines doesn't seem very likely. Cc'ing the security
team anyway in case they can think of something.

In any case, this should be fixed and forwarded upstream.
Niko Tyni   ntyni at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Call-croak-with-a-controlled-format-string.patch
Type: text/x-diff
Size: 1020 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20120305/76f22fa2/attachment.patch>

More information about the pkg-perl-maintainers mailing list