Skip Menu |

This queue is for tickets about the KinoSearch CPAN distribution.

Report information
The Basics
Id: 67059
Status: resolved
Priority: 0/
Queue: KinoSearch

People
Owner: Nobody in particular
Requestors: jquelin [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: build failure when using -Werror=format-security
the following gcc flag: -Werror=format-security makes the dist fails during build. (note: this flag is default on at least mandriva & mageia linux distributions, maybe others as well). attached patch fixes the problem.
Subject: KinoSearch-0.311-format_security.patch
diff -urbaN BUILD/KinoSearch-0.311-new/charmonizer/src/Charmonizer/Core/ConfWriter.c BUILD/KinoSearch-0.311-old/charmonizer/src/Charmonizer/Core/ConfWriter.c --- BUILD/KinoSearch-0.311-new/charmonizer/src/Charmonizer/Core/ConfWriter.c 2010-12-29 03:29:24.000000000 +0100 +++ BUILD/KinoSearch-0.311-old/charmonizer/src/Charmonizer/Core/ConfWriter.c 2011-03-29 14:28:21.636453613 +0200 @@ -29,7 +29,7 @@ /* Print supplied text (if any) along with warning, open include guard. */ if (charmony_start != NULL) { - fprintf(charmony_fh, charmony_start); + fprintf(charmony_fh, "%s", charmony_start); } fprintf(charmony_fh, "/* Header file auto-generated by Charmonizer. \n" diff -urbaN BUILD/KinoSearch-0.311-new/xs/KinoSearch/Object/Err.c BUILD/KinoSearch-0.311-old/xs/KinoSearch/Object/Err.c --- BUILD/KinoSearch-0.311-new/xs/KinoSearch/Object/Err.c 2010-12-29 03:29:24.000000000 +0100 +++ BUILD/KinoSearch-0.311-old/xs/KinoSearch/Object/Err.c 2011-03-29 14:33:42.060472798 +0200 @@ -60,7 +60,7 @@ { SV *error_sv = XSBind_cb_to_sv(message); KINO_DECREF(message); - warn(SvPV_nolen(error_sv)); + warn("%s", SvPV_nolen(error_sv)); SvREFCNT_dec(error_sv); }
Thank you for the report and the patch. Coincidentally, the fix for this problem was committed a few hours ago. Furthermore, I performed an investigation and concluded that there was no possibility that these functions could ever be invoked with a user-supplied format string, so there are no security implications for this bug.