On Thu, 2008-03-20 at 09:57 -0500, Jason L Tibbitts III wrote: > OK, so one of my packages shows up on this list. But I've verified > that the compiler is indeed called with the proper flags in all cases, > there are no instances of implicit declarations of anything (no lines > matching "implicit" or "declaration" in the build log), as far as I > can tell, the code does not define the problematic function (sprintf) > itself, and the hostname in the URL > http://ovecka.be/~lkundrak/blog/entries/fortify-check.html doesn't > resolve. $ find nazghul -name '*.[ch]' |xargs grep -l printf |xargs grep -L stdio.h nazghul/src/ascii.c ... nazghul/config.h $ These files do use *printf, but don't include <stdio.h>. Please patch them and send patch upstream if possible. > So what's to be done? My understanding was that we'd try to pass > these flags at all times but that there's no strict guarantee that > they will actually function on any particular piece of code and that > we shouldn't go rewriting upstream code to make them work when there > is no security exposure (as in the case of my package). There's always chance for *printf functions to be used incorrectly and make up and attack vector for format string attacks. Consider situation when they are used to output a file name of a randomly named file that's in their working directory, etc. Thanks, -- Lubomir Kundrak (Red Hat Security Response Team) -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
