Source: libyaml-syck-perl
Severity: normal
Version: 1.19-1
User: debian...@lists.debian.org
Usertags: hardening-format-security hardening
With hardening flags enabled, this package FTBFS:
perl_common.h: In function 'perl_syck_error_handler':
perl_common.h:79:9: warning: format '%ld' expects argument of type 'long int',
but argument 4 has type 'int' [-Wformat]
perl_common.h:79:9: error: format not a string literal and no format arguments
[-Werror=format-security]
cc1: some warnings being treated as errors
(this is the first error of this type seen: it's possible that there
could be others once this is fixed).
A likely fix is to change croak(var) to croak("%s", var)[1], or similar.
Note that I haven't verified whether an externally-controlled string is
used; if so, it would be appropriate to upgrade this bug RC severity
with the security tag[2].
This was found during testing of perl 5.14.2-8 in experimental; however,
since that version was prepared, it has been decided not to export
those build flags in Config_heay.pl. Nevertheless, it is likely that at
some point, either in debhelper 9 or 10, the hardening flags will be
enabled for all perl modules.
Thanks,
Dominic.
[1] <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657853#92>
[2] <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657853#117>
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
