F21 System Wide Change: Format Security

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

= Proposed System Wide Change: Format Security =
https://fedoraproject.org/wiki/Changes/FormatSecurity

Change owner(s): Dhiru Kholia <dhiru.kholia@xxxxxxxxx>

Enable "-Werror=format-security" compilation flag for all packages in Fedora. 
Once this flag is enabled, GCC will refuse to compile code that could be 
vulnerable to a string format security flaw.

== Detailed Description ==
Once "-Werror=format-security" is enabled, GCC will refuse to compile code 
that could be vulnerable to a string format security flaw. For more details, 
please see this FESCo ticket [1].

Enabling this option eliminates an entire class of security issues! To further 
understand why it is important to fix such bugs, please see Format-Security-FAQ 
page [2].

Implementing this change requires a single line change to be made to the 
/usr/lib/rpm/redhat/macros file (part of redhat-rpm-config package). My patch to 
do this can be found at [3]

== Scope ==
Proposal owners: Currently, around 400 packages FTBFS if this flag is enabled. 
We need to file bugs and also try solving these FTBFS issues. 

Other developers: Currently, around 400 packages FTBFS if this flag is enabled. 
A list of packages which FTBFS is available at [4]. The fix for these errors is 
quite simple (in most cases). It's a matter of changing a line like, 
printf(foo), to read printf("%s", foo), instead. That's it. More details are 
available on Format-Security-FAQ. Additionally, we highly encourage owners (of 
the affected packages) to work with upstream. 

Release engineering: A mass build is required. 

Policies and guidelines: N/A 

[1] https://fedorahosted.org/fesco/ticket/1185
[2] https://fedoraproject.org/wiki/Format-Security-FAQ
[3] ​https://bitbucket.org/dhiru/redhat-rpm-config/branch/strict-format
[4] http://people.fedoraproject.org/~halfie/rebuild-logs.txt
_______________________________________________
devel-announce mailing list
devel-announce@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel-announce
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux