tag 661382 patch
thanks
On Sun, Feb 26, 2012 at 08:15:49PM +0000, Dominic Hargreaves wrote:
> Source: libcrypt-openssl-dsa-perl
> Severity: normal
> Version: 0.13-5
>
> With hardening flags enabled, this package FTBFS:
>
> DSA.xs:57:11: error: format not a string literal and no format arguments
> [-Werror=format-security]
> DSA.c: In function 'XS_Crypt__OpenSSL__DSA_generate_key':
For some reason, I only see this on i386 and not amd64. Weird.
This does not have security impact AFAICS. Patch attached.
--
Niko Tyni nt...@debian.org
>From e8ef75498c12e3ce46f219ba54a0b129ce37b679 Mon Sep 17 00:00:00 2001
From: Niko Tyni <nt...@debian.org>
Date: Sat, 3 Mar 2012 21:00:54 +0200
Subject: [PATCH] Explicitly croak() with a controlled format string
This fixes builds with 'gcc -Werror=format-security'.
As ERR_reason_error_string() returns one of fixed OpenSSL error strings,
not an uncontrolled format string, the issue does not seem to have any
actual security impact.
---
DSA.xs | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/DSA.xs b/DSA.xs
index 0370b0e..85657ca 100644
--- a/DSA.xs
+++ b/DSA.xs
@@ -54,7 +54,7 @@ generate_parameters(CLASS, bits, seed = NULL)
}
dsa = DSA_generate_parameters(bits, seedpv, seed_len, NULL, NULL, NULL, NULL);
if (!dsa)
- croak(ERR_reason_error_string(ERR_get_error()));
+ croak("%s", ERR_reason_error_string(ERR_get_error()));
RETVAL = dsa;
OUTPUT:
RETVAL
--
1.7.9.1
