Re: [Debian-med-packaging] Trying to disable error=format-security for clapack

To: Gert Wollny <gw.fossdev@gmail.com>, Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>, Debian Mentors List <debian-mentors@lists.debian.org>
Subject: Re: [Debian-med-packaging] Trying to disable error=format-security for clapack
From: Gianfranco Costamagna <locutusofborg@debian.org>
Date: Mon, 16 May 2016 10:16:29 +0000 (UTC)
Message-id: <[🔎] 2114308793.4727773.1463393789155.JavaMail.yahoo@mail.yahoo.com>
Reply-to: Gianfranco Costamagna <locutusofborg@debian.org>
In-reply-to: <[🔎] 1463392922.18357.21.camel@gmail.com>
References: <[🔎] 20160516090743.GA31593@an3as.eu> <[🔎] 13220075.4521102.1463390070094.JavaMail.yahoo@mail.yahoo.com> <[🔎] 1463392922.18357.21.camel@gmail.com>

Hi Gert!

>I think, since in this case the (empty) format string passed to the printf call is not user generated there is no security problem to be exploited.


yes, sure, but disabling this flag has a nasty side-effect, it is disabled in the *whole* build, possibly
hiding more serious issues somewhere else.

I would prefer disabling that test, rather than disabling a security feature in the whole package.

BTW fedora packaged "F2CLIBS" separately from clapack, I'm not sure if worth a try or not, but it should be at least considered.

cheers,

G.

Reply to:

Follow-Ups:
- Re: [Debian-med-packaging] Trying to disable error=format-security for clapack
  - From: Gert Wollny <gw.fossdev@gmail.com>

References:
- Trying to disable error=format-security for clapack
  - From: Andreas Tille <andreas@an3as.eu>
- Re: Trying to disable error=format-security for clapack
  - From: Gianfranco Costamagna <locutusofborg@debian.org>
- Re: [Debian-med-packaging] Trying to disable error=format-security for clapack
  - From: Gert Wollny <gw.fossdev@gmail.com>

Prev by Date: Bug#801262: RFS: ppsspp/1.1.1-1 [ITP] -- A portable PSP emulator
Next by Date: Re: [Debian-med-packaging] Trying to disable error=format-security for clapack
Previous by thread: Re: [Debian-med-packaging] Trying to disable error=format-security for clapack
Next by thread: Re: [Debian-med-packaging] Trying to disable error=format-security for clapack
Index(es):
- Date
- Thread