Please check build logs for format security warnings
Kees Cook
kees at ubuntu.com
Tue Aug 26 00:31:21 BST 2008
With the addition of new default compiler flags[1] in Intrepid, there have
been FTBFS issues we've all had to fix in various package builds, but
one of the compiler flags does not abort (unless -Werror is specified):
format security checks[2].
There has already been one case[3] of warnings[4] being overlooked where
an upstream source ended up being vulnerable to format string attacks.
For intrepid+1, I'm going to see if "-Werror=format-security" can get
added to the compiler flags, making this a FTBFS issue. In the meantime
for Intrepid, I'd like to ask anyone doing uploads to grep for "warning:
format not" in the build logs and get any warnings cleaned up.
Thanks,
-Kees
[1] https://wiki.ubuntu.com/CompilerFlags
[2] https://wiki.ubuntu.com/CompilerFlags#format-security
[3] https://launchpad.net/bugs/254860
[4] http://launchpadlibrarian.net/15402035/buildlog_ubuntu-intrepid-i386.yelp_2.23.1-0ubuntu1_FULLYBUILT.txt.gz
--
Kees Cook
Ubuntu Security Team
More information about the ubuntu-devel
mailing list