Bug 3583 - (int-87567) libhildonmime fails to build with -Wformat-security due to variable format strings
(int-87567)
: libhildonmime fails to build with -Wformat-security due to variable format st...
Status: RESOLVED FIXED
Product: Desktop platform
hildon-widgets
: 4.1.1 (4.2008.30-2)
: All Linux
: Low normal (vote)
: 4.1+
Assigned To: unassigned
: hildon-libs-bugs
:
: patch
:
:
  Show dependency tree
 
Reported: 2008-08-14 21:29 UTC by Loic Minier
Modified: 2008-12-01 12:43 UTC (History)
2 users (show)

See Also:


Attachments
Format string fixes; use "%s" explicitely (1006 bytes, patch)
2008-08-14 21:30 UTC, Loic Minier
Details


Note

You need to log in before you can comment on or make changes to this bug.


Description Loic Minier (reporter) 2008-08-14 21:29:37 UTC
Hi,

libhildonmime fails to build with some -Wformat* gcc flag which is in use in
Ubuntu by default (for security purposes):
/bin/bash ../libtool --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I. -I..
-I../libhildonmime -DPREFIX=\"/usr\"
-DGLOBS_FILE_PATH=\"/usr/share/mime/globs\" -Wall -Wunused -Wchar-subscripts
-Wmissing-declarations -Wmissing-prototypes -Wnested-externs -Wpointer-arith
-Wno-sign-compare -Wno-pointer-sign -Werror  -pthread -DORBIT2=1
-I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include
-I/usr/include/gnome-vfs-2.0 -I/usr/lib/gnome-vfs-2.0/include
-I/usr/include/gconf/2 -I/usr/include/orbit-2.0
-I/usr/include/gnome-vfs-module-2.0 -I/usr/include/dbus-1.0
-I/usr/lib/dbus-1.0/include   -g -O2 -g -O2 -MT libhildonmime_la-hildon-uri.lo
-MD -MP -MF .deps/libhildonmime_la-hildon-uri.Tpo -c -o
libhildonmime_la-hildon-uri.lo `test -f 'hildon-uri.c' || echo
'./'`hildon-uri.c
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I.. -I../libhildonmime
-DPREFIX=\"/usr\" -DGLOBS_FILE_PATH=\"/usr/share/mime/globs\" -Wall -Wunused
-Wchar-subscripts -Wmissing-declarations -Wmissing-prototypes -Wnested-externs
-Wpointer-arith -Wno-sign-compare -Wno-pointer-sign -Werror -pthread -DORBIT2=1
-I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include
-I/usr/include/gnome-vfs-2.0 -I/usr/lib/gnome-vfs-2.0/include
-I/usr/include/gconf/2 -I/usr/include/orbit-2.0
-I/usr/include/gnome-vfs-module-2.0 -I/usr/include/dbus-1.0
-I/usr/lib/dbus-1.0/include -g -O2 -g -O2 -MT libhildonmime_la-hildon-uri.lo
-MD -MP -MF .deps/libhildonmime_la-hildon-uri.Tpo -c hildon-uri.c  -fPIC -DPIC
-o .libs/libhildonmime_la-hildon-uri.o
cc1: warnings being treated as errors
hildon-uri.c: In function ‘hildon_uri_get_scheme_from_uri’:
hildon-uri.c:1714: error: format not a string literal and no format arguments
hildon-uri.c: In function ‘hildon_uri_open’:
hildon-uri.c:2295: error: format not a string literal and no format arguments
hildon-uri.c:2351: error: format not a string literal and no format arguments
hildon-uri.c:2379: error: format not a string literal and no format arguments
make[3]: *** [libhildonmime_la-hildon-uri.lo] Erreur 1


This is because of calls to printf with a variable string as argument.

I'll attach the patch we use to fix the build for us.

I checked the relevant code, and the strings in use are fine; there's probably
no security issue here.

Bye,
Comment 1 Loic Minier (reporter) 2008-08-14 21:30:32 UTC
Created an attachment (id=872) [details]
Format string fixes; use "%s" explicitely
Comment 2 Loic Minier (reporter) 2008-08-14 21:31:09 UTC
NB: actual patch was provided by Steve Kowalik.
Comment 3 Andre Klapper maemo.org 2008-08-15 13:57:50 UTC
I assume this is about libhildonmime 2.0.2-1?
Comment 4 Andre Klapper maemo.org 2008-08-15 14:10:46 UTC
Ah, libhildonmime-1.10.1, and this is still valid in Diablo's 2.0.2-1 (just
took a look at the code)
Comment 5 Loic Minier (reporter) 2008-08-15 15:36:34 UTC
We're indeed using 1.10.1, but I checked SVN yesterday when reporting the bug
and saw some calls without the clarifying "%s" (2.0.2).
Comment 6 Jianjun Yu 2008-09-01 09:42:58 UTC
I cannot reproduce this .I download libhildonmime2.0.2. and then ./configure &&
make && make install .there is no error!.

I also download libhildonmime1.10.1.and then ./configure && make && make
install. there is no error too!

libhildonmime2.0.2
http://repository.maemo.org/pool/maemo4.1/free/libh/libhildonmime/
libhildonmime1.10.1
http://repository.maemo.org/pool/chinook/free/libh/libhildonmime/
Comment 7 Loic Minier (reporter) 2008-09-01 10:58:29 UTC
./configure CFLAGS="-Wformat -Wformat-security -Werror"
make
...
 gcc -DHAVE_CONFIG_H -I. -I. -I.. -I../libhildonmime -DPREFIX=\"/usr/local\"
-DGLOBS_FILE_PATH=\"/usr/local/share/mime/globs\" -Wall -Wunused
-Wchar-subscripts -Wmissing-declarations -Wmissing-prototypes -Wnested-externs
-Wpointer-arith -Wno-sign-compare -Wno-pointer-sign -Werror -pthread -DORBIT2=1
-I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include
-I/usr/include/gnome-vfs-2.0 -I/usr/lib/gnome-vfs-2.0/include
-I/usr/include/gconf/2 -I/usr/include/orbit-2.0
-I/usr/include/gnome-vfs-module-2.0 -I/usr/include/dbus-1.0
-I/usr/lib/dbus-1.0/include -Wformat -Wformat-security -Werror -MT
libhildonmime_la-hildon-mime-patterns.lo -MD -MP -MF
.deps/libhildonmime_la-hildon-mime-patterns.Tpo -c hildon-mime-patterns.c 
-fPIC -DPIC -o .libs/libhildonmime_la-hildon-mime-patterns.o
if gcc -DHAVE_CONFIG_H -I. -I. -I.. -I../libhildonmime -DPREFIX=\"/usr/local\"
-DGLOBS_FILE_PATH=\"/usr/local/share/mime/globs\" -Wall -Wunused
-Wchar-subscripts -Wmissing-declarations -Wmissing-prototypes -Wnested-externs
-Wpointer-arith -Wno-sign-compare -Wno-pointer-sign -Werror 
-I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include -I/usr/include/libxml2  
-Wformat -Wformat-security -Werror -MT
hildon_update_category_database-update-category-database.o -MD -MP -MF
".deps/hildon_update_category_database-update-category-database.Tpo" -c -o
hildon_update_category_database-update-category-database.o `test -f
'update-category-database.c' || echo './'`update-category-database.c; \
        then mv -f
".deps/hildon_update_category_database-update-category-database.Tpo"
".deps/hildon_update_category_database-update-category-database.Po"; else rm -f
".deps/hildon_update_category_database-update-category-database.Tpo"; exit 1;
fi
cc1: warnings being treated as errors
hildon-uri.c: In function ‘hildon_uri_get_scheme_from_uri’:
hildon-uri.c:1714: error: format not a string literal and no format arguments
hildon-uri.c: In function ‘hildon_uri_open’:
hildon-uri.c:2295: error: format not a string literal and no format arguments
hildon-uri.c:2351: error: format not a string literal and no format arguments
hildon-uri.c:2379: error: format not a string literal and no format arguments
make[2]: *** [libhildonmime_la-hildon-uri.lo] Erreur 1
make[2]: *** Attente des tâches non terminées....
make[2]: quittant le répertoire «
/home/lool/svn/stage.maemo.org/maemo/projects/haf/trunk/libhildonmime/libhildonmime
»
make[1]: *** [all-recursive] Erreur 1
make[1]: quittant le répertoire «
/home/lool/svn/stage.maemo.org/maemo/projects/haf/trunk/libhildonmime »
make: *** [all] Erreur 2
Comment 8 Andre Klapper maemo.org 2008-12-01 12:43:49 UTC
Fixed in package
libhildonmime 2.0.2-2
which is part of the internal build version
diablo build x.2008.47

(Note that 2008 is the year and the number after is the week.)

Any public update released with or after this build version will include the
fix.
Please verify that the new version fixes the bug by marking this bug report as
VERIFIED after the public update has been released and if you have some time.