Bug#661546: libterm-slang-perl: FTBFS with hardening flags enabled: -Werror=format-security
Moritz Mühlenhoff
jmm at inutil.org
Tue Mar 13 19:38:38 UTC 2012
On Fri, Mar 09, 2012 at 10:25:11AM +0200, Niko Tyni wrote:
> On Mon, Feb 27, 2012 at 09:43:10PM +0000, Dominic Hargreaves wrote:
> > Source: libterm-slang-perl
> > Severity: normal
> > Version: 0.07-11
>
> [Joey: do you think we should still keep this package alive? See below.]
>
> > User: debian-qa at lists.debian.org
> > Usertags: hardening-format-security hardening
> >
> > With hardening flags enabled, this package FTBFS:
> >
> > Slang.c: In function 'XS_Term__Slang_SLsmg_printf':
> > Slang.c:301:2: error: format not a string literal and no format arguments [-Werror=format-security]
>
> This is wrapping the SLsmg_printf() vararg function in the
> S-lang library.
>
> The current implementation of the Perl binding of SLsmg_printf() only uses
> the first argument, and is therefore equivalent to SLsmg_write_string()
> except that it breaks with format strings.
>
> A program that calls SLsmg_printf() with untrusted data would be vulnerable.
> In practice that seems improbable, so I don't think this needs fixing in
> stable. Cc'ing the security team in case they disagree.
Agreed.
Cheers,
Moritz
More information about the pkg-perl-maintainers
mailing list