[ubuntu/jaunty] conntrack 1:0.9.7-1.1ubuntu1 (Accepted)
Kees Cook
kees at ubuntu.com
Mon Nov 24 00:31:28 GMT 2008
Hi,
On Mon, Nov 24, 2008 at 12:15:13AM -0000, Manny Vindiola wrote:
> conntrack (1:0.9.7-1.1ubuntu1) jaunty; urgency=low
>
> * Merge from debian unstable (LP: 256380), remaining changes:
> + #include <limits.h> in {main,ignore_pool}.c to get PATH_MAX and INT_MAX
> + local.c: Fix insecure printf usage
> + debian/rules:
> -undef _FORTIFY_SOURCE so that it doesn't fail about ignored chdir()
> return value.
Undefining FORTIFY should only be done in extreme cases when it is not
possible to correct the situations it helps detects. As documented[1], it
is much better to check the ignored return values, and handle them in some
graceful way, instead of disabling FORTIFY for the entire build, as this
will leave the program without the run-time protections FORTIFY provides.
In situations where it is not obvious how an error can be handled
correctly, tricking the compiler into throwing away the return value is
still preferred to disabling FORTIFY globally for the build. (And in all
situations, the changes should be forwarded to the Debian bug tracker.)
-Kees
[1] https://wiki.ubuntu.com/CompilerFlags
--
Kees Cook
Ubuntu Security Team
More information about the ubuntu-devel
mailing list