|

»

[bug #36591] error: format not a string literal and no format arguments [-Werror=format-security]

View: New views

6 Messages — Rating Filter: Alert me

	[bug #36591] error: format not a string literal and no format arguments [-Werror=format-security] by Jimmy Zelinskie :: Rate this Message: \| View Threaded \| Show Only this Message URL: <http://savannah.gnu.org/bugs/?36591> Summary: error: format not a string literal and no format arguments [-Werror=format-security] Project: GNU FreeIPMI Submitted by: yoh Submitted on: Tue 05 Jun 2012 01:00:00 AM GMT Category: None Severity: 3 - Normal Priority: 5 - Normal Item Group: None Status: None Privacy: Public Assigned to: None Open/Closed: Open Discussion Lock: Any Operating System: GNU/Linux _______________________________________________________ Details: There is an ongoing effort http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags to provide "hardened" builds of the software for Debian. so I have tried to build freeipmi with suggested flags and ran into: /bin/sh ../../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I../../config -D_GNU_SOURCE -D_REENTRANT -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -c -o libmiscutil_la-conffile.lo `test -f 'conffile.c' \|\| echo './'`conffile.c libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../../config -D_GNU_SOURCE -D_REENTRANT -D_FORTIFY_SOURCE=2 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -c conffile.c -fPIC -DPIC -o .libs/libmiscutil_la-conffile.o conffile.c: In function ‘conffile_errmsg’: conffile.c:152:23: error: format not a string literal and no format arguments [-Werror=format-security] conffile.c:152:23: error: format not a string literal and no format arguments [-Werror=format-security] conffile.c:155:23: error: format not a string literal and no format arguments [-Werror=format-security] conffile.c:155:23: error: format not a string literal and no format arguments [-Werror=format-security] conffile.c:159:23: error: format not a string literal and no format arguments [-Werror=format-security] conffile.c:159:23: error: format not a string literal and no format arguments [-Werror=format-security] conffile.c:179:23: error: format not a string literal and no format arguments [-Werror=format-security] conffile.c:179:23: error: format not a string literal and no format arguments [-Werror=format-security] cc1: some warnings being treated as errors make[3]: *** [libmiscutil_la-conffile.lo] Error 1 ... which are due to the use of snprintf in the scenario where format string is not actually especting any format options. Here is few other locations of similar uses: util/ipmi-device-types-util.c:58:3: error: format not a string literal and no format arguments [-Werror=format-security] util/ipmi-sensor-and-event-code-tables-util.c:1111:3: error: format not a string literal and no format arguments [-Werror=format-security] util/ipmi-sensor-util.c:67:3: error: format not a string literal and no format arguments [-Werror=format-security] _______________________________________________________ Reply to this item at: <http://savannah.gnu.org/bugs/?36591> _______________________________________________ Message sent via/by Savannah http://savannah.gnu.org/ _______________________________________________ Freeipmi-devel mailing list Freeipmi-devel@... https://lists.gnu.org/mailman/listinfo/freeipmi-devel
	[bug #36591] error: format not a string literal and no format arguments [-Werror=format-security] by Jimmy Zelinskie :: Rate this Message: \| View Threaded \| Show Only this Message Follow-up Comment #1, bug #36591 (project freeipmi): (As discussed on mailing list) A lot of those functions have snprintf-like return values, which is why I call snprintf the way I do. I'm not 100% sure how to deal with this cleanly. strncpy + strlen I don't think handle the end '\0' character the same. I will research this a bit. Is there a suggested way to handle this from the Debian folks. _______________________________________________________ Reply to this item at: <http://savannah.gnu.org/bugs/?36591> _______________________________________________ Message sent via/by Savannah http://savannah.gnu.org/ _______________________________________________ Freeipmi-devel mailing list Freeipmi-devel@... https://lists.gnu.org/mailman/listinfo/freeipmi-devel
	Re: [bug #36591] error: format not a string literal and no format arguments [-Werror=format-security] by Diego Elio Pettenò-2 :: Rate this Message: \| View Threaded \| Show Only this Message Il 05/06/2012 19:56, Albert Chu ha scritto: > Is there a suggested way to handle this from the Debian folks. snprintf(bar, sizeof(bar), "%s", foo); is the general suggestion in these cases. -- Diego Elio Pettenò — Flameeyes flameeyes@... — http://blog.flameeyes.eu/ _______________________________________________ Freeipmi-devel mailing list Freeipmi-devel@... https://lists.gnu.org/mailman/listinfo/freeipmi-devel
	Re: [bug #36591] error: format not a string literal and no format arguments [-Werror=format-security] by Yaroslav Halchenko-10 :: Rate this Message: \| View Threaded \| Show Only this Message shame on me -- I should have thought of this one ! Thanks Diego. On Tue, 05 Jun 2012, Diego Elio Pettenò wrote: > > Is there a suggested way to handle this from the Debian folks. > snprintf(bar, sizeof(bar), "%s", foo); > is the general suggestion in these cases. -- Yaroslav O. Halchenko Postdoctoral Fellow, Department of Psychological and Brain Sciences Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755 Phone: +1 (603) 646-9834 Fax: +1 (603) 646-1419 WWW: http://www.linkedin.com/in/yarik _______________________________________________ Freeipmi-devel mailing list Freeipmi-devel@... https://lists.gnu.org/mailman/listinfo/freeipmi-devel
	Re: [bug #36591] error: format not a string literal and no format arguments [-Werror=format-security] by Albert Chu :: Rate this Message: \| View Threaded \| Show Only this Message Thanks Diego. Yeah, it seems so obvious now :P Al On Tue, 2012-06-05 at 11:12 -0700, Yaroslav Halchenko wrote: > shame on me -- I should have thought of this one ! > Thanks Diego. > > On Tue, 05 Jun 2012, Diego Elio Pettenò wrote: > > > Is there a suggested way to handle this from the Debian folks. > > > snprintf(bar, sizeof(bar), "%s", foo); > > > is the general suggestion in these cases. -- Albert Chu chu11@... Computer Scientist High Performance Systems Division Lawrence Livermore National Laboratory _______________________________________________ Freeipmi-devel mailing list Freeipmi-devel@... https://lists.gnu.org/mailman/listinfo/freeipmi-devel
	[bug #36591] error: format not a string literal and no format arguments [-Werror=format-security] by Jimmy Zelinskie :: Rate this Message: \| View Threaded \| Show Only this Message Update of bug #36591 (project freeipmi): Open/Closed: Open => Closed _______________________________________________________ Follow-up Comment #2: Fixed, it'll be in the next release of FreeIPMI _______________________________________________________ Reply to this item at: <http://savannah.gnu.org/bugs/?36591> _______________________________________________ Message sent via/by Savannah http://savannah.gnu.org/ _______________________________________________ Freeipmi-devel mailing list Freeipmi-devel@... https://lists.gnu.org/mailman/listinfo/freeipmi-devel