Skip Menu |
 

This queue is for tickets about the Data-Alias CPAN distribution.

Report information
The Basics
Id: 75569
Status: resolved
Priority: 0/
Queue: Data-Alias

People
Owner: Nobody in particular
Requestors: dom [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: Normal
Broken in: 1.16
Fixed in: (no value)

Attachments
0001-Explicitly-DIE-with-a-controlled-format-string.patch



Subject: -Werror=format-security failure
Download (untitled) / with headers
text/plain 561b
As per <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=661398> this module suffers from a format string issue (it fails to build with - Werror=format-security failure). As PL_no_localize_ref is an 'extern const' variable from the Perl core, not an uncontrolled format string, the issue does not seem to have any actual security impact. Alias.xs: In function 'DataAlias_pp_rv2sv': Alias.xs:783:4: error: format not a string literal and no format arguments [-Werror=format-security] cc1: some warnings being treated as errors Patch from Niko Tyni attached.
Subject: 0001-Explicitly-DIE-with-a-controlled-format-string.patch
From d1c304e955e25c7a12a67cf3a1e6907a1d5a5171 Mon Sep 17 00:00:00 2001 From: Niko Tyni <ntyni@debian.org> Date: Sat, 3 Mar 2012 20:36:26 +0200 Subject: [PATCH] Explicitly DIE() with a controlled format string This fixes builds with 'gcc -Werror=format-security'. As PL_no_localize_ref is an 'extern const' variable from the Perl core, not an uncontrolled format string, the issue does not seem to have any actual security impact. --- Alias.xs | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/Alias.xs b/Alias.xs index f619da5..23a6ca8 100644 --- a/Alias.xs +++ b/Alias.xs @@ -780,7 +780,7 @@ STATIC OP *DataAlias_pp_rv2sv(pTHX) { sv = (SV *) (GvEGV(sv) ? GvEGV(sv) : fixglob(aTHX_ (GV *) sv)); if (PL_op->op_private & OPpLVAL_INTRO) { if (SvTYPE(sv) != SVt_PVGV || SvFAKE(sv)) - DIE(aTHX_ PL_no_localize_ref); + DIE(aTHX_ "%s", PL_no_localize_ref); switch (PL_op->op_type) { case OP_RV2AV: da_localize_gvar(aTHX_ GvGP(sv), (SV **) &GvAV(sv)); -- 1.7.9.1
Subject: Re: [rt.cpan.org #75569] -Werror=format-security failure
Date: Tue, 6 Mar 2012 11:37:20 +0000
To: Dominic Hargreaves via RT <bug-Data-Alias [...] rt.cpan.org>
From: Zefram <zefram [...] fysh.org>
Download (untitled) / with headers
text/plain 298b
Dominic Hargreaves via RT wrote: Show quoted text
>- DIE(aTHX_ PL_no_localize_ref); >+ DIE(aTHX_ "%s", PL_no_localize_ref);
Looking at the core, it seems PL_no_localize_ref should indeed be used as a data string, not as a format string, so this patch is correct. Will be in the next release. Thanks. -zefram
Fixed in Data-Alias-1.17, now on CPAN.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.