Your message dated Sun, 25 Mar 2012 20:52:38 +0000
with message-id <[email protected]>
and subject line Bug#663908: fixed in lftp 4.3.5-2
has caused the Debian Bug report #663908,
regarding lftp: CXXFLAGS hardening flags missing
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
663908: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=663908
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: lftp
Version: 4.3.5-1
Severity: important
Tags: patch
Dear Maintainer,
The CXXFLAGS hardening flags are missing because they are not set
in debian/rules. This prevents CXXFLAGS hardening in src/*.
The following patch fixes the issue.
diff -Nru lftp-4.3.5/debian/rules lftp-4.3.5/debian/rules
--- lftp-4.3.5/debian/rules 2012-01-13 20:11:25.000000000 +0100
+++ lftp-4.3.5/debian/rules 2012-03-13 22:44:24.000000000 +0100
@@ -14,6 +14,7 @@
CFLAGS = `dpkg-buildflags --get CFLAGS`
CFLAGS += -g -Wall
+CXXFLAGS = `dpkg-buildflags --get CXXFLAGS` -g -Wall
LDFLAGS = `dpkg-buildflags --get LDFLAGS`
CPPFLAGS = `dpkg-buildflags --get CPPFLAGS`
@@ -21,7 +22,7 @@
configure-stamp:
dh_testdir
# Add here commands to configure the package.
- CFLAGS="$(CFLAGS)" CPPFLAGS="$(CPPFLAGS)" LDFLAGS="$(LDFLAGS)"
./configure \
+ CFLAGS="$(CFLAGS)" CXXFLAGS="$(CXXFLAGS)" CPPFLAGS="$(CPPFLAGS)"
LDFLAGS="$(LDFLAGS)" ./configure \
--prefix=/usr \
--mandir=\$${prefix}/share/man \
--infodir=\$${prefix}/share/info \
While building with the CXXFLAGS several -Wformat-security errors
occurred. The attached bug fixes those. I'm not sure if the first
fix (Fish.cc) is correct though, please have a look.
Regards,
Simon
[1]: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
[2]: https://wiki.debian.org/HardeningWalkthrough
[3]: https://wiki.debian.org/Hardening
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
Description: Fix errors reported by -Werror=format-security.
Author: Simon Ruderich <[email protected]>
Last-Update: 2012-03-13
Index: lftp-4.3.5/src/Fish.cc
===================================================================
--- lftp-4.3.5.orig/src/Fish.cc 2012-03-13 23:23:55.709806633 +0100
+++ lftp-4.3.5/src/Fish.cc 2012-03-13 23:24:31.593807999 +0100
@@ -564,7 +564,7 @@
const char *eol=strchr(err,'\n');
if(eol) {
xstring &e=xstring::get_tmp(err,eol-err);
- LogError(0,e);
+ LogError(0,"%s",e.tmp_buf(eol-err));
SetError(NO_FILE,e);
if(pty_recv_buf)
pty_recv_buf->Skip(eol-err+1);
Index: lftp-4.3.5/src/Job.h
===================================================================
--- lftp-4.3.5.orig/src/Job.h 2012-03-13 23:23:55.677806632 +0100
+++ lftp-4.3.5/src/Job.h 2012-03-13 23:24:31.597807999 +0100
@@ -77,7 +77,7 @@
void ClearStatus()
{
const char *empty="";
- eprintf(empty);
+ eprintf("%s",empty); /* just "" causes a -Wformat-zero-length" warning, not sure what this line does though */
}
virtual void SayFinal() {}; // final phrase of fg job
virtual int Done()=0;
Index: lftp-4.3.5/src/SleepJob.cc
===================================================================
--- lftp-4.3.5.orig/src/SleepJob.cc 2012-03-13 23:23:55.625806630 +0100
+++ lftp-4.3.5/src/SleepJob.cc 2012-03-13 23:24:31.597807999 +0100
@@ -119,7 +119,7 @@
Job::ShowRunStatus(s);
else
{
- s->Show(Status());
+ s->Show("%s",Status());
current->TimeoutS(1);
}
}
Index: lftp-4.3.5/src/mgetJob.cc
===================================================================
--- lftp-4.3.5.orig/src/mgetJob.cc 2012-03-13 23:23:55.625806630 +0100
+++ lftp-4.3.5/src/mgetJob.cc 2012-03-13 23:24:31.597807999 +0100
@@ -36,7 +36,7 @@
{
if(rg)
{
- s->Show(rg->Status());
+ s->Show("%s",rg->Status());
return;
}
GetJob::ShowRunStatus(s);
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Source: lftp
Source-Version: 4.3.5-2
We believe that the bug you reported is fixed in the latest version of
lftp, which is due to be installed in the Debian FTP archive:
lftp_4.3.5-2.debian.tar.gz
to main/l/lftp/lftp_4.3.5-2.debian.tar.gz
lftp_4.3.5-2.dsc
to main/l/lftp/lftp_4.3.5-2.dsc
lftp_4.3.5-2_amd64.deb
to main/l/lftp/lftp_4.3.5-2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Noël Köthe <[email protected]> (supplier of updated lftp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 25 Mar 2012 11:21:50 +0200
Source: lftp
Binary: lftp
Architecture: source amd64
Version: 4.3.5-2
Distribution: unstable
Urgency: low
Maintainer: Noël Köthe <[email protected]>
Changed-By: Noël Köthe <[email protected]>
Description:
lftp - Sophisticated command-line FTP/HTTP client programs
Closes: 663908
Changes:
lftp (4.3.5-2) unstable; urgency=low
.
* updated Standards-Version to 3.9.3 without changed
* corrected hardening flags with patch from Simon Ruderich (thx)
(applied/reported upstream with minor whitespace fixes)
closes: Bug#663908
Checksums-Sha1:
2172779e40415ae80c8363882067b2d1e8353cdf 1114 lftp_4.3.5-2.dsc
689262a2e9748a466a438b32a85a2b431c13c7b5 14007 lftp_4.3.5-2.debian.tar.gz
c54004868bf181128a5f006895fcc02efd437b46 712274 lftp_4.3.5-2_amd64.deb
Checksums-Sha256:
b4e8291cb1f9703e62f60090e7b48e11f5992e3d1538b4c94258aa66cc2b7ec8 1114
lftp_4.3.5-2.dsc
51a89fba75d56ffc961f337ac08d127f8fca55a8cc74fc72140c14d0d4375dec 14007
lftp_4.3.5-2.debian.tar.gz
ed69e1dfacc891010547cf7ce892d4f20817b311d04e0b62ddcbe26f5fdfcded 712274
lftp_4.3.5-2_amd64.deb
Files:
d62d7dc972cd29e513311364a680c57d 1114 net optional lftp_4.3.5-2.dsc
a298860839b852aa01c20dac9725d608 14007 net optional lftp_4.3.5-2.debian.tar.gz
a3de554b44c42fabed4472e17ac83c5c 712274 net optional lftp_4.3.5-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAk9u/YoACgkQ9/DnDzB9Vu1SfQCeMWd9peU9ODA/G2J5xAvyWUGH
CCMAnAwQ3nYbnqWhSZWB9tym5FsZeelz
=yPaw
-----END PGP SIGNATURE-----
--- End Message ---
