Bug#661536: libdbd-pg-perl: FTBFS with hardening flags enabled: -Werror=format-security
Niko Tyni
ntyni at debian.org
Fri Mar 9 06:33:32 UTC 2012
forwarded 661536 https://rt.cpan.org/Public/Bug/Display.html?id=75642
severity 661536 grave
tag 661536 security patch
found 661536 2.17.1-2
thanks
On Mon, Feb 27, 2012 at 09:31:31PM +0000, Dominic Hargreaves wrote:
> Source: libdbd-pg-perl
> Severity: normal
> Version: 2.18.1-1
>
> With hardening flags enabled, this package FTBFS:
>
> dbdimp.c: In function 'pg_warn':
> dbdimp.c:331:4: error: format not a string literal and no format arguments [-Werror=format-security]
> dbdimp.c: In function 'pg_st_prepare':
> dbdimp.c:1534:4: error: format not a string literal and no format arguments [-Werror=format-security]
> cc1: some warnings being treated as errors
These format strings can be injected by a malicious server,
so raising the severity. A DSA will be issued for squeeze.
I've just notified upstream via the RT ticket. Could somebody from the
pkg-perl team (I believe Dominic already volunteered) please prepare
updated packages (built with -sa for stable-security as this is new
there)? Trivial patch attached.
--
Niko Tyni ntyni at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Explicitly-warn-and-croak-with-controlled-format-str.patch
Type: text/x-diff
Size: 1045 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20120309/b65df8c4/attachment-0001.patch>
More information about the pkg-perl-maintainers
mailing list