On Tue, Aug 13, 2013 at 10:22:52PM +0000, Thorsten Glaser wrote: > Source: libswe > Version: 1.77.00.0005-7 > Severity: serious > Justification: possible security impact > > “ Log for successful build of libswe_1.77.00.0005-7 on m68k (dist=unstable) ” > > buildd on ara5 for m68k dixit: > > > Changes: > […] > > * disable these errors -Wno-error=format-security -Wno-format > > I think this should stay as RC bug until such time as the > format string warnings are back as errors during compilation > and indeed fixed.
The problem is that with when I went to debian/compat to 9 it added a -Werror=format-security -Wformat to the build this caused the build to fatally crash since this is an astrological program used mostly in a non-hostile context, I don't believe this library should be withheld until the original author modifies the source. The -Wno-error=format-security -Wno-format allows the library to build. I do believe an warning should be added to debian/README.Debian and a bug filed against the original author. I plan to do that with a new release I will be making soon. Can you suggest a switch that will allow the build to complete, but still flag the error? I have looked at the source and the places where the user can control the data in the varriable is in the test program swetest, which would not often be exposed to a hostile user. -- Paul Elliott 1(512)837-1096 pelli...@blackpatchpanel.com PMB 181, 11900 Metric Blvd Suite J http://www.free.blackpatchpanel.com/pme/ Austin TX 78758-3117 --- "Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it." Edward Snowden
signature.asc
Description: Digital signature
