Please check build logs for format security warnings

Kees Cook kees at
Fri Sep 5 01:51:44 BST 2008

On Thu, Sep 04, 2008 at 11:01:39AM +0100, Matt Zimmerman wrote:
> On Mon, Aug 25, 2008 at 04:31:21PM -0700, Kees Cook wrote:
> > With the addition of new default compiler flags[1] in Intrepid, there have
> > been FTBFS issues we've all had to fix in various package builds, but
> > one of the compiler flags does not abort (unless -Werror is specified):
> > format security checks[2].
> > 
> > There has already been one case[3] of warnings[4] being overlooked where
> > an upstream source ended up being vulnerable to format string attacks.
> > 
> > For intrepid+1, I'm going to see if "-Werror=format-security" can get
> > added to the compiler flags, making this a FTBFS issue.  In the meantime
> > for Intrepid, I'd like to ask anyone doing uploads to grep for "warning:
> > format not" in the build logs and get any warnings cleaned up.
> It's not very likely that uploaders will grep the build logs for all of
> their uploads.  How about centrally searching all build logs for Intrepid
> and filing bugs?

I don't think it's going to be a small number of bug reports.  Also, I'm
unaware of a non-screen-scraping way to get all the build logs for the
current versions of each package in the Intrepid archive.  I can create
something to do it, though.  Perhaps I can check for the FORTIFY warnings
too?  There are a lot of packages that don't compile with -Werror.  :)


Kees Cook
Ubuntu Security Team

More information about the ubuntu-devel mailing list