Coin, Quoting Didier Raboud <o...@debian.org>:
This happened because since dpkg 1.16.0 [0], hardening flags are enabled under various conditions.
I'm glad it is now enabled, even if a bit of a sudden and probably causing mass-FTBFS.
I'd like some help reviewing the patch[1] i made to solve this problem, as i'm not really sure it is a proper solution.
In this program, the spotted format problems are due to indirect use of constant format strings. As IRC is full of error numerics, the message is retrieved in a table using this number. Sometimes, the message does not need any parameter, leading to calls to the generic logging functions without any format arguments. As these functions are declared using __attribute((format(printf, <x>, <y>))) (or via the AFP macro), it triggers the format-security alert.
It is a false positive, but i could not find any way to specify a function can have a legitimate empty format argument list. Thus, the solution i found came from the gcc format specification:
For functions where the arguments are not available to be checked
(such as `vprintf'), specify the third parameter as zero. In this
case the compiler only checks the format string for consistency.
I found it better than ignoring format-security completely.
Could you give me your opinion on this solution (and possibibly
suggest a better one) ?
Regards.[1] http://anonscm.debian.org/gitweb/?p=collab-maint/ircd-ratbox.git;a=blob;f=debian/patches/gcc_format-security_fix;h=1f28e17ff336189400c89d0a2196864312d4024c;hb=8094138bf60635b45a116afa75a97a2c194b5c6c
-- Marc Dequènes (Duck)
pgpgCJOv5yQ2i.pgp
Description: PGP Digital Signature
