3.6% of heads up: Please correct your #includes or optflags use

[Lubomir Kundrak]

On Thu, 2008-03-20 at 09:57 -0500, Jason L Tibbitts III wrote:
> OK, so one of my packages shows up on this list.  But I've verified
> that the compiler is indeed called with the proper flags in all cases,
> there are no instances of implicit declarations of anything (no lines
> matching "implicit" or "declaration" in the build log), as far as I
> can tell, the code does not define the problematic function (sprintf)
> itself, and the hostname in the URL
> http://ovecka.be/~lkundrak/blog/entries/fortify-check.html doesn't
> resolve.

$ find nazghul -name '*.[ch]' |xargs grep -l printf |xargs grep -L
stdio.h
nazghul/src/ascii.c
...
nazghul/config.h
$ 

These files do use *printf, but don't include <stdio.h>.
Please patch them and send patch upstream if possible.

> So what's to be done?  My understanding was that we'd try to pass
> these flags at all times but that there's no strict guarantee that
> they will actually function on any particular piece of code and that
> we shouldn't go rewriting upstream code to make them work when there
> is no security exposure (as in the case of my package).

There's always chance for *printf functions to be used incorrectly and
make up and attack vector for format string attacks. Consider situation
when they are used to output a file name of a randomly named file that's
in their working directory, etc.

Thanks,
-- 
Lubomir Kundrak (Red Hat Security Response Team)