[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#657853: Building perl with hardened build flags

On Sat, Feb 11, 2012 at 01:51:19PM +0000, Dominic Hargreaves wrote:

> > > - 13 packages newly FTBFS with the perl from experimental installed
> > > - of those, 12 are -Werror=format-security issues
> > 
> > > It would be nice to fix all the packages first, but it's probably not
> > > a sensible approach.
> > 
> > Those numbers are lower than I expected, and the format-security fixes
> > are generally trivial: change croak(var) to croak("%s", var) AIUI. So
> > it might be sensible anyway. Somebody (TM) should file bugs about those
> > in any case.
> Agreed. Moritz, do you have any views on how/if to report those, and
> at which severity?

If the missing format string is variable and controlled externally (e.g. 
if read from a file or from network communication), please file it 
with RC severity and the security tag. (If it's a popular Perl module, 
please contact  team@security.debian.org, so that we can coordinate with 
other distros.)

Otherwise it's rather "normal" severity.


Reply to: