Thread Closed 
 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
potential security issue with STIFF
01-27-2015, 16:04
Post: #1
potential security issue with STIFF
Hi!

I'm making debian/ubuntu packages of STIFF and I encountered the following problem. I didn't find a bug or issue tracker so I report it here. By default debian/ubuntu packages are compiled with the -Wformat-security flag enabled:

https://wiki.ubuntu.com/ToolChain/Compil...t-security

The compiler will then check for improper formatting usage. Unfortunatly STIFF won't compile anymore:

Code:
gcc -DHAVE_CONFIG_H -I. -I..   -D_FORTIFY_SOURCE=2 -D_REENTRANT -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -c xml.c
xml.c: In function 'write_xmlconfigparam':
xml.c:587:7: error: format not a string literal and no format arguments [-Werror=format-security]
       sprintf(value, (char *)key[i].ptr);
       ^
xml.c:596:9: error: format not a string literal and no format arguments [-Werror=format-security]
         sprintf(value, ((char **)key[i].ptr)[0]);
         ^
xml.c:602:11: error: format not a string literal and no format arguments [-Werror=format-security]
           sprintf(value, ((char **)key[i].ptr)[j]);
           ^
xml.c:613:7: error: format not a string literal and no format arguments [-Werror=format-security]
       sprintf(value, key[i].keylist[*((int *)key[i].ptr)]);
       ^
xml.c:622:9: error: format not a string literal and no format arguments [-Werror=format-security]
         sprintf(value, key[i].keylist[((int *)key[i].ptr)[0]]);
         ^
xml.c:628:11: error: format not a string literal and no format arguments [-Werror=format-security]
           sprintf(value, key[i].keylist[((int *)key[i].ptr)[j]]);
           ^
xml.c: In function 'write_xml_meta':
xml.c:250:11: warning: ignoring return value of 'getcwd', declared with attribute warn_unused_result [-Wunused-result]
     getcwd(pspathb, MAXCHAR);
           ^
cc1: some warnings being treated as errors
make[4]: *** [xml.o] Error 1
make[4]: Leaving directory `/home/gijs/build/stiff-2.4.0/src'
make[3]: *** [all-recursive] Error 1
make[3]: Leaving directory `/home/gijs/build/stiff-2.4.0/src'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/home/gijs/build/stiff-2.4.0'
make[1]: *** [all] Error 2
make[1]: Leaving directory `/home/gijs/build/stiff-2.4.0'
dh_auto_build: make -j1 returned exit code 2
make: *** [build] Error 2
dpkg-buildpackage: error: debian/rules build gave error exit status 2
Find all posts by this user
01-28-2015, 21:44
Post: #2
RE: potential security issue with STIFF
Hi gijzelaerr!

Thanks your detailed report.

I have modified the code and tested the build on debian wheezy using your debian package files.

It works for me. Could you please download the latest svn version and let me know?

Thanks again,
Chiara
Find all posts by this user
01-29-2015, 08:56
Post: #3
RE: potential security issue with STIFF
yes, svn rev 61 compiles without problem!

thanks
Find all posts by this user
Thread Closed 


Forum Jump:


User(s) browsing this thread: 2 Guest(s)