There's an unchecked syslog call inside of libssp/ssp.c
/usr/src/gnu/lib/libssp/../../../contrib/gcclibs/libssp/ssp.c:137:23:
warning: format string is not a string literal (potentially insecure)
[-Wformat-security]
syslog (LOG_CRIT, msg1);
^~~~
1 warning generated.
/usr/src/gnu/lib/libssp/../../../contrib/gcclibs/libssp/ssp.c:137:23:
warning: format string is not a string literal (potentially insecure)
[-Wformat-security]
syslog (LOG_CRIT, msg1);
I propose the following change:
Index: contrib/gcclibs/libssp/ssp.c
===================================================================
--- contrib/gcclibs/libssp/ssp.c (revision 256712)
+++ contrib/gcclibs/libssp/ssp.c (working copy)
#ifdef HAVE_SYSLOG_H
/* Only send the error to syslog if there was no tty available. */
else
- syslog (LOG_CRIT, msg3);
+ syslog (LOG_CRIT, "%s", msg3);
#endif /* HAVE_SYSLOG_H */
signature.asc
Description: This is a digitally signed message part
