On Mon, Feb 27, 2012 at 09:44:04PM +0000, Dominic Hargreaves wrote: > Source: libtfbs-perl > Severity: normal > Version: 0.5.svn.20100421-1 > User: debian...@lists.debian.org > Usertags: hardening-format-security hardening > > With hardening flags enabled, this package FTBFS: > > ./lib/pwm_searchPFF.c: In function 'announce': > ./lib/pwm_searchPFF.c:124:4: error: format not a string literal and no format > arguments [-Werror=format-security]
All calls of this function are conditional on the __DEBUG__ preprocessor constant, which is defined to 0 in Ext/lib/pwm_search.h. Additionally, all the calls except one are with one fixed argument. However, it looks like the call in get_sequence() would probably be vulnerable if __DEBUG__ were enabled. The compiled shared object usr/lib/perl5/auto/TFBS/Ext/pwmsearch/pwmsearch.so exports the 'announce' symbol, so it might be used by other software in a vulnerable way. However, the only reverse dependency, med-bio-dev from the debian-med source package, does not reference it anywhere AFAICS. So there doesn't seem to be any real security impact, at least on unstable. I did glance through the stable versions too and the situation seems identical. In any case, the fix is trivial, just change fprintf(stderr,msg); to fprintf(stderr,"%s",msg); Cheers, -- Niko Tyni nt...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
