* [PATCH] security_flags.inc: libidn fails to build w/ -Wformat-security
@ 2016-06-24 10:59 André Draszik
2016-06-27 9:10 ` Burton, Ross
0 siblings, 1 reply; 4+ messages in thread
From: André Draszik @ 2016-06-24 10:59 UTC (permalink / raw)
To: openembedded-core
From: André Draszik <adraszik@tycoint.com>
../../libidn-1.32/src/idn.c: In function 'main':
../../libidn-1.32/src/idn.c:172:7: error: format not a string literal and no format arguments [-Werror=format-security]
error (0, 0, _("only one of -s, -e, -d, -a, -u or -n can be specified"));
^~~~~
../../libidn-1.32/src/idn.c:187:5: error: format not a string literal and no format arguments [-Werror=format-security]
fprintf (stderr, _("Type each input string on a line by itself, "
^~~~~~~
../../libidn-1.32/src/idn.c:202:4: error: format not a string literal and no format arguments [-Werror=format-security]
error (EXIT_FAILURE, errno, _("input error"));
^~~~~
../../libidn-1.32/src/idn.c:220:8: error: format not a string literal and no format arguments [-Werror=format-security]
_("could not convert from UTF-8 to UCS-4"));
^
../../libidn-1.32/src/idn.c:245:8: error: format not a string literal and no format arguments [-Werror=format-security]
_("could not convert from UTF-8 to UCS-4"));
^
../../libidn-1.32/src/idn.c:281:6: error: format not a string literal and no format arguments [-Werror=format-security]
_("could not convert from UTF-8 to UCS-4"));
^
../../libidn-1.32/src/idn.c:340:6: error: format not a string literal and no format arguments [-Werror=format-security]
_("could not convert from UCS-4 to UTF-8"));
^
../../libidn-1.32/src/idn.c:364:6: error: format not a string literal and no format arguments [-Werror=format-security]
_("could not convert from UCS-4 to UTF-8"));
^
../../libidn-1.32/src/idn.c:442:8: error: format not a string literal and no format arguments [-Werror=format-security]
_("could not convert from UCS-4 to UTF-8"));
^
../../libidn-1.32/src/idn.c:498:6: error: format not a string literal and no format arguments [-Werror=format-security]
_("could not convert from UTF-8 to UCS-4"));
^
../../libidn-1.32/src/idn.c:527:5: error: format not a string literal and no format arguments [-Werror=format-security]
_("could not convert from UTF-8 to UCS-4"));
^
../../libidn-1.32/src/idn.c:540:6: error: format not a string literal and no format arguments [-Werror=format-security]
error (EXIT_FAILURE, 0, _("could not do NFKC normalization"));
^~~~~
../../libidn-1.32/src/idn.c:551:5: error: format not a string literal and no format arguments [-Werror=format-security]
_("could not convert from UTF-8 to UCS-4"));
^
Signed-off-by: André Draszik <adraszik@tycoint.com>
---
meta/conf/distro/include/security_flags.inc | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
index a7be185..3f52afb 100644
--- a/meta/conf/distro/include/security_flags.inc
+++ b/meta/conf/distro/include/security_flags.inc
@@ -105,6 +105,7 @@ SECURITY_STRINGFORMAT_pn-expect = ""
SECURITY_STRINGFORMAT_pn-gcc = ""
SECURITY_STRINGFORMAT_pn-gettext = ""
SECURITY_STRINGFORMAT_pn-kexec-tools = ""
+SECURITY_STRINGFORMAT_pn-libidn = ""
SECURITY_STRINGFORMAT_pn-oh-puzzles = ""
TARGET_CFLAGS_append_class-target = " ${SECURITY_CFLAGS}"
--
2.8.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] security_flags.inc: libidn fails to build w/ -Wformat-security
2016-06-24 10:59 [PATCH] security_flags.inc: libidn fails to build w/ -Wformat-security André Draszik
@ 2016-06-27 9:10 ` Burton, Ross
2016-06-27 9:42 ` Alexander Kanavin
0 siblings, 1 reply; 4+ messages in thread
From: Burton, Ross @ 2016-06-27 9:10 UTC (permalink / raw)
To: André Draszik; +Cc: OE-core
[-- Attachment #1: Type: text/plain, Size: 550 bytes --]
On 24 June 2016 at 11:59, André Draszik <git@andred.net> wrote:
> ../../libidn-1.32/src/idn.c: In function 'main':
> ../../libidn-1.32/src/idn.c:172:7: error: format not a string literal and
> no format arguments [-Werror=format-security]
> error (0, 0, _("only one of -s, -e, -d, -a, -u or -n can be
> specified"));
>
As libidn will be dealing with data from the network it seems like the sort
of package that should be built with format-security enabled. Wouldn't it
be better to fix up the calls to error() instead?
Ross
[-- Attachment #2: Type: text/html, Size: 970 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] security_flags.inc: libidn fails to build w/ -Wformat-security
2016-06-27 9:10 ` Burton, Ross
@ 2016-06-27 9:42 ` Alexander Kanavin
2016-06-28 11:55 ` André Draszik
0 siblings, 1 reply; 4+ messages in thread
From: Alexander Kanavin @ 2016-06-27 9:42 UTC (permalink / raw)
To: openembedded-core
On 06/27/2016 12:10 PM, Burton, Ross wrote:
> ../../libidn-1.32/src/idn.c: In function 'main':
> ../../libidn-1.32/src/idn.c:172:7: error: format not a string
> literal and no format arguments [-Werror=format-security]
> error (0, 0, _("only one of -s, -e, -d, -a, -u or -n can be
> specified"));
>
>
> As libidn will be dealing with data from the network it seems like the
> sort of package that should be built with format-security enabled.
> Wouldn't it be better to fix up the calls to error() instead?
Also, in general the point of adding this check was that we try to fix
the problems in the code. Adding packages to the list of exceptions is
missing the point :)
Please write a patch - I'd say we should accept new exceptions only if
fixing the code is shown to be too difficult.
Alex
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] security_flags.inc: libidn fails to build w/ -Wformat-security
2016-06-27 9:42 ` Alexander Kanavin
@ 2016-06-28 11:55 ` André Draszik
0 siblings, 0 replies; 4+ messages in thread
From: André Draszik @ 2016-06-28 11:55 UTC (permalink / raw)
To: openembedded-core
On Mo, 2016-06-27 at 12:42 +0300, Alexander Kanavin wrote:
> On 06/27/2016 12:10 PM, Burton, Ross wrote:
> > ../../libidn-1.32/src/idn.c: In function 'main':
> > ../../libidn-1.32/src/idn.c:172:7: error: format not a string
> > literal and no format arguments [-Werror=format-security]
> > error (0, 0, _("only one of -s, -e, -d, -a, -u or -n can be
> > specified"));
> >
> >
> > As libidn will be dealing with data from the network it seems like the
> > sort of package that should be built with format-security enabled.
> > Wouldn't it be better to fix up the calls to error() instead?
Yes, and no :-)
idn.c is a command line utility and the gcc warnings are all from error
messages printed, e.g. when giving incorrect command line arguments. But it
makes sense in case future versions add more issues in other places as they
would go unnoticed otherwise.
> Also, in general the point of adding this check was that we try to fix
> the problems in the code. Adding packages to the list of exceptions is
> missing the point :)
>
> Please write a patch - I'd say we should accept new exceptions only if
> fixing the code is shown to be too difficult.
http://lists.openembedded.org/pipermail/openembedded-core/2016-June/123327.html
a.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-06-28 11:55 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-06-24 10:59 [PATCH] security_flags.inc: libidn fails to build w/ -Wformat-security André Draszik
2016-06-27 9:10 ` Burton, Ross
2016-06-27 9:42 ` Alexander Kanavin
2016-06-28 11:55 ` André Draszik
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.