On Sun, Nov 27, 2011 at 03:10:57PM +0000, Colin Watson wrote: > tags 649322 security > severity 649322 grave > thanks > > On Sat, Nov 19, 2011 at 11:19:48PM +0100, Leo Iannacone wrote: > > The package clearsilver fails to compile with the new hardened compiler > > flags dpkg-buildflag outputs [0]. > > The problematic flag is: -Werror=format-security > > See the ubuntu buildlog: > > https://launchpadlibrarian.net/85252523/buildlog_ubuntu-precise-i386.clearsilver_0.10.5-1.2_FAILEDTOBUILD.txt.gz > > > > Snippet: > > neo_cgi.c: In function 'p_cgi_error': > > neo_cgi.c:181:3: error: format not a string literal and no format > > arguments [-Werror=format-security] > > cc1: some warnings being treated as errors > > This may very well be exploitable; I sent an example to security@ a > little while back, and CCed clearsil...@packages.debian.org. Please > apply Leo's patch ASAP.
I've been preparing a DSA, which will be released soon. Clearsilver maintainers, when fixing this, please ensure that you enable the hardening build flags for clearsilver: http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
