| Subject: | -Werror=format-security failure |
As per <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=661398> this
module suffers from a format string issue (it fails to build with -
Werror=format-security failure).
As PL_no_localize_ref is an 'extern const' variable from the Perl core,
not an uncontrolled format string, the issue does not seem to have any
actual security impact.
Alias.xs: In function 'DataAlias_pp_rv2sv':
Alias.xs:783:4: error: format not a string literal and no format
arguments [-Werror=format-security]
cc1: some warnings being treated as errors
Patch from Niko Tyni attached.
| Subject: | 0001-Explicitly-DIE-with-a-controlled-format-string.patch |
From d1c304e955e25c7a12a67cf3a1e6907a1d5a5171 Mon Sep 17 00:00:00 2001
From: Niko Tyni <ntyni@debian.org>
Date: Sat, 3 Mar 2012 20:36:26 +0200
Subject: [PATCH] Explicitly DIE() with a controlled format string
This fixes builds with 'gcc -Werror=format-security'.
As PL_no_localize_ref is an 'extern const' variable from the Perl core,
not an uncontrolled format string, the issue does not seem to have any
actual security impact.
---
Alias.xs | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/Alias.xs b/Alias.xs
index f619da5..23a6ca8 100644
--- a/Alias.xs
+++ b/Alias.xs
@@ -780,7 +780,7 @@ STATIC OP *DataAlias_pp_rv2sv(pTHX) {
sv = (SV *) (GvEGV(sv) ? GvEGV(sv) : fixglob(aTHX_ (GV *) sv));
if (PL_op->op_private & OPpLVAL_INTRO) {
if (SvTYPE(sv) != SVt_PVGV || SvFAKE(sv))
- DIE(aTHX_ PL_no_localize_ref);
+ DIE(aTHX_ "%s", PL_no_localize_ref);
switch (PL_op->op_type) {
case OP_RV2AV:
da_localize_gvar(aTHX_ GvGP(sv), (SV **) &GvAV(sv));
--
1.7.9.1