[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: mass bug filing for undefined sn?printf use

On Sun, Dec 28, 2008 at 10:27:16AM +0000, Neil Williams wrote:
> On Sun, 28 Dec 2008 00:42:46 -0800 Kees Cook <kees@outflux.net> wrote:
> > In Debian, some tools already compile natively with -D_FORTIFY_SOURCE=2,
> > and some have Build-Depends on "hardening-wrapper", which enables this
> > compiler flag.  As such, it seems sensible to have all affected packages
> > fixed since the results of such a call could change.  (Though it is not an
> > RC issue.)
> By all affected packages, do you mean packages that use the code or
> packages that use the code *AND* compile with  or
> Build-Depend on hardening-wrapper?
> IMHO any bugs filed merely due to the presence of the code without the
> means to trigger the error in normal builds should be wishlist.

Sorry for the confusion -- I meant "present in the code", not "actively
broken".  I agree it's not a "normal" bug, but I'd like to see the bug at
least as "low" since (with a stock glibc) the bug would appear if a
maintainer decided to use "hardening-wrapper".

> > Thoughts?
> Split the list according to packages that merely match the regexp and
> those that match the regexp *AND* match a second regexp indicating that
> the build system either uses -D_FORTIFY_SOURCE=2 or hardening-wrapper?

Good idea, those can be opened with "normal" severity.


Kees Cook                                            @debian.org

Reply to: