Please check build logs for format security warnings
Kees Cook
kees at ubuntu.com
Fri Sep 5 01:51:44 BST 2008
On Thu, Sep 04, 2008 at 11:01:39AM +0100, Matt Zimmerman wrote:
> On Mon, Aug 25, 2008 at 04:31:21PM -0700, Kees Cook wrote:
> > With the addition of new default compiler flags[1] in Intrepid, there have
> > been FTBFS issues we've all had to fix in various package builds, but
> > one of the compiler flags does not abort (unless -Werror is specified):
> > format security checks[2].
> >
> > There has already been one case[3] of warnings[4] being overlooked where
> > an upstream source ended up being vulnerable to format string attacks.
> >
> > For intrepid+1, I'm going to see if "-Werror=format-security" can get
> > added to the compiler flags, making this a FTBFS issue. In the meantime
> > for Intrepid, I'd like to ask anyone doing uploads to grep for "warning:
> > format not" in the build logs and get any warnings cleaned up.
>
> It's not very likely that uploaders will grep the build logs for all of
> their uploads. How about centrally searching all build logs for Intrepid
> and filing bugs?
I don't think it's going to be a small number of bug reports. Also, I'm
unaware of a non-screen-scraping way to get all the build logs for the
current versions of each package in the Intrepid archive. I can create
something to do it, though. Perhaps I can check for the FORTIFY warnings
too? There are a lot of packages that don't compile with -Werror. :)
-Kees
--
Kees Cook
Ubuntu Security Team
More information about the ubuntu-devel
mailing list