After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 660841 - build failure with [-Werror=format-security]
build failure with [-Werror=format-security]
Status: RESOLVED FIXED
Product: anjuta
Classification: Applications
Component: unknown
3.0.x
Other Linux
: Normal normal
: ---
Assigned To: Anjuta maintainers
Anjuta maintainers
Depends on:
Blocks:
 
 
Reported: 2011-10-03 22:43 UTC by Michael Biebl
Modified: 2011-10-13 02:21 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
Fix string-format vulnerability by using g_set_error_literal () (2.10 KB, patch)
2011-10-03 23:10 UTC, Michael Biebl
none Details | Review
Fix format string vulnerability by using g_set_error_literal () (2.10 KB, patch)
2011-10-03 23:12 UTC, Michael Biebl
none Details | Review

Description Michael Biebl 2011-10-03 22:43:34 UTC
Building anjuta on Debian (where -Werror=format-security is now enabled by default) results in a build failure:


> /bin/bash ../../libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I. -I../..  -Wall -Wmissing-prototypes -Wnested-externs -Wpointer-arith -Wno-sign-compare    -pthread -DGSEAL_ENABLE -I/usr/include/atk-1.0 -I/usr/include/gdk-pixbuf-2.0 -I/usr/include/pango-1.0 -I/usr/include/pixman-1 -I/usr/include/freetype2 -I/usr/include/libpng12 -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include -I/usr/include/gtk-3.0 -I/usr/include/cairo -I/usr/include/gio-unix-2.0/   -DGSEAL_ENABLE -pthread -I/usr/include/atk-1.0 -I/usr/include/gdk-pixbuf-2.0 -I/usr/include/pango-1.0 -I/usr/include/pixman-1 -I/usr/include/freetype2 -I/usr/include/libpng12 -I/usr/include/libgdl-3.0 -I/usr/include/gtk-3.0 -I/usr/include/libxml2 -I/usr/include/cairo -I/usr/include/gio-unix-2.0/ -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include    -I../.. -I../../libanjuta -DPACKAGE_PIXMAPS_DIR=\""/usr/share/pixmaps/anjuta"\" -DPACKAGE_LIB_DIR=\""/usr/lib/anjuta"\" -DPACKAGE_DATA_DIR=\""/usr/share/anjuta"\" -DG_LOG_DOMAIN=\"am-project\"  -Wall -Wmissing-prototypes -Wnested-externs -Wpointer-arith -Wno-sign-compare  -g -O2 -fstack-protector --param=ssp-buffer-size=4 -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security -Wall -c -o am-project.lo am-project.c
> libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I../.. -Wall -Wmissing-prototypes -Wnested-externs -Wpointer-arith -Wno-sign-compare -pthread -DGSEAL_ENABLE -I/usr/include/atk-1.0 -I/usr/include/gdk-pixbuf-2.0 -I/usr/include/pango-1.0 -I/usr/include/pixman-1 -I/usr/include/freetype2 -I/usr/include/libpng12 -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include -I/usr/include/gtk-3.0 -I/usr/include/cairo -I/usr/include/gio-unix-2.0/ -DGSEAL_ENABLE -pthread -I/usr/include/atk-1.0 -I/usr/include/gdk-pixbuf-2.0 -I/usr/include/pango-1.0 -I/usr/include/pixman-1 -I/usr/include/freetype2 -I/usr/include/libpng12 -I/usr/include/libgdl-3.0 -I/usr/include/gtk-3.0 -I/usr/include/libxml2 -I/usr/include/cairo -I/usr/include/gio-unix-2.0/ -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include -I../.. -I../../libanjuta -DPACKAGE_PIXMAPS_DIR=\"/usr/share/pixmaps/anjuta\" -DPACKAGE_LIB_DIR=\"/usr/lib/anjuta\" -DPACKAGE_DATA_DIR=\"/usr/share/anjuta\" -DG_LOG_DOMAIN=\"am-project\" -Wall -Wmissing-prototypes -Wnested-externs -Wpointer-arith -Wno-sign-compare -g -O2 -fstack-protector --param=ssp-buffer-size=4 -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security -Wall -c am-project.c  -fPIC -DPIC -o .libs/am-project.o
> am-project.c: In function 'amp_project_load_root':
> am-project.c:1600:7: error: format not a string literal and no format arguments [-Werror=format-security]
> am-project.c: At top level:
> am-project.c:408:1: warning: 'ac_init_default_tarname' defined but not used [-Wunused-function]
> cc1: some warnings being treated as errors
> 
> make[5]: *** [am-project.lo] Error 1


Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=643351
Comment 1 Michael Biebl 2011-10-03 22:51:38 UTC
It also fails at:

/bin/bash ../../libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I. -I../..  -Wall -Wmissing-prototypes -Wnested-externs -Wpointer-arith -Wno-sign-compare    -I/usr/include/libxml2   -pthread -DGSEAL_ENABLE -I/usr/include/atk-1.0 -I/usr/include/gdk-pixbuf-2.0 -I/usr/include/pango-1.0 -I/usr/include/pixman-1 -I/usr/include/freetype2 -I/usr/include/libpng12 -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include -I/usr/include/gtk-3.0 -I/usr/include/cairo -I/usr/include/gio-unix-2.0/   -DGSEAL_ENABLE -pthread -I/usr/include/atk-1.0 -I/usr/include/gdk-pixbuf-2.0 -I/usr/include/pango-1.0 -I/usr/include/pixman-1 -I/usr/include/freetype2 -I/usr/include/libpng12 -I/usr/include/libgdl-3.0 -I/usr/include/gtk-3.0 -I/usr/include/libxml2 -I/usr/include/cairo -I/usr/include/gio-unix-2.0/ -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include    -I../.. -I../../libanjuta -DPACKAGE_PIXMAPS_DIR=\""/usr/share/pixmaps/anjuta"\" -DPACKAGE_LIB_DIR=\""/usr/lib/anjuta"\" -DPACKAGE_DATA_DIR=\""/usr/share/anjuta"\" -DG_LOG_DOMAIN=\"mk-project\"  -Wall -Wmissing-prototypes -Wnested-externs -Wpointer-arith -Wno-sign-compare  -g -O2 -fstack-protector --param=ssp-buffer-size=4 -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security -Wall -c -o mk-project.lo mk-project.c
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I../.. -Wall -Wmissing-prototypes -Wnested-externs -Wpointer-arith -Wno-sign-compare -I/usr/include/libxml2 -pthread -DGSEAL_ENABLE -I/usr/include/atk-1.0 -I/usr/include/gdk-pixbuf-2.0 -I/usr/include/pango-1.0 -I/usr/include/pixman-1 -I/usr/include/freetype2 -I/usr/include/libpng12 -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include -I/usr/include/gtk-3.0 -I/usr/include/cairo -I/usr/include/gio-unix-2.0/ -DGSEAL_ENABLE -pthread -I/usr/include/atk-1.0 -I/usr/include/gdk-pixbuf-2.0 -I/usr/include/pango-1.0 -I/usr/include/pixman-1 -I/usr/include/freetype2 -I/usr/include/libpng12 -I/usr/include/libgdl-3.0 -I/usr/include/gtk-3.0 -I/usr/include/libxml2 -I/usr/include/cairo -I/usr/include/gio-unix-2.0/ -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include -I../.. -I../../libanjuta -DPACKAGE_PIXMAPS_DIR=\"/usr/share/pixmaps/anjuta\" -DPACKAGE_LIB_DIR=\"/usr/lib/anjuta\" -DPACKAGE_DATA_DIR=\"/usr/share/anjuta\" -DG_LOG_DOMAIN=\"mk-project\" -Wall -Wmissing-prototypes -Wnested-externs -Wpointer-arith -Wno-sign-compare -g -O2 -fstack-protector --param=ssp-buffer-size=4 -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security -Wall -c mk-project.c  -fPIC -DPIC -o .libs/mk-project.o
mk-project.c: In function 'project_load_makefile':
mk-project.c:491:7: error: format not a string literal and no format arguments [-Werror=format-security]
mk-project.c: At top level:
mk-project.c:243:1: warning: 'mkp_target_get_token' defined but not used [-Wunused-function]
cc1: some warnings being treated as errors

make[3]: *** [mk-project.lo] Error 1
make[3]: Target `all' not remade because of errors.
make[3]: Leaving directory `/home/michael/git/anjuta/plugins/mk-project'
Comment 2 Michael Biebl 2011-10-03 23:10:17 UTC
Created attachment 198165 [details] [review]
 Fix string-format vulnerability by using g_set_error_literal ()
Comment 3 Michael Biebl 2011-10-03 23:12:46 UTC
Created attachment 198166 [details] [review]
Fix format string vulnerability by using g_set_error_literal ()
Comment 4 Johannes Schmid 2011-10-04 01:19:39 UTC
Thanks, http://git.gnome.org/browse/anjuta/commit/?id=fa547401997c3fecb1ef500d3b496ceeb413a0e2

Sorry for not merging it in gnome-3-2 but that would require a string-free break and that's kind of not worth it.
Comment 5 Johannes Schmid 2011-10-04 01:20:15 UTC
Well, sorry, it doesn't. Wasn't paying much attention...