Re: Bug#657853: Building perl with hardened build flags
On Sat, Feb 11, 2012 at 01:51:19PM +0000, Dominic Hargreaves wrote:
> > > - 13 packages newly FTBFS with the perl from experimental installed
> > > - of those, 12 are -Werror=format-security issues
> >
> > > It would be nice to fix all the packages first, but it's probably not
> > > a sensible approach.
> >
> > Those numbers are lower than I expected, and the format-security fixes
> > are generally trivial: change croak(var) to croak("%s", var) AIUI. So
> > it might be sensible anyway. Somebody (TM) should file bugs about those
> > in any case.
>
> Agreed. Moritz, do you have any views on how/if to report those, and
> at which severity?
If the missing format string is variable and controlled externally (e.g.
if read from a file or from network communication), please file it
with RC severity and the security tag. (If it's a popular Perl module,
please contact team@security.debian.org, so that we can coordinate with
other distros.)
Otherwise it's rather "normal" severity.
Cheers,
Moritz
Reply to: