Please check build logs for format security warnings

Matt Zimmerman mdz at ubuntu.com
Thu Sep 4 11:01:39 BST 2008


On Mon, Aug 25, 2008 at 04:31:21PM -0700, Kees Cook wrote:
> With the addition of new default compiler flags[1] in Intrepid, there have
> been FTBFS issues we've all had to fix in various package builds, but
> one of the compiler flags does not abort (unless -Werror is specified):
> format security checks[2].
> 
> There has already been one case[3] of warnings[4] being overlooked where
> an upstream source ended up being vulnerable to format string attacks.
> 
> For intrepid+1, I'm going to see if "-Werror=format-security" can get
> added to the compiler flags, making this a FTBFS issue.  In the meantime
> for Intrepid, I'd like to ask anyone doing uploads to grep for "warning:
> format not" in the build logs and get any warnings cleaned up.

It's not very likely that uploaders will grep the build logs for all of
their uploads.  How about centrally searching all build logs for Intrepid
and filing bugs?

-- 
 - mdz



More information about the ubuntu-devel mailing list