Package: rtkit
Version: 0.11-4
Severity: important
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Maintainer,
rtkit uses dbus_message_new_error_printf in an unsafe way, which also causes
it to FTBFS when it builds against a newer dbus version (e.g. 1.11.8 and
newer, available in experimental):
/usr/src/packages/BUILD/rtkit-0.11/./rtkit-daemon.c: In function 'dbus_handler':
/usr/src/packages/BUILD/rtkit-0.11/./rtkit-daemon.c:1336:25: error: format not
a string literal and no format arguments [-Werror=format-security]
assert_se(r = dbus_message_new_error_printf(m,
translate_error_forward(ret), strerror(-ret)));
^
/usr/src/packages/BUILD/rtkit-0.11/./rtkit-daemon.c:1361:25: error: format not
a string literal and no format arguments [-Werror=format-security]
assert_se(r = dbus_message_new_error_printf(m,
translate_error_forward(ret), strerror(-ret)));
^
/usr/src/packages/BUILD/rtkit-0.11/./rtkit-daemon.c:1366:25: error: format not
a string literal and no format arguments [-Werror=format-security]
assert_se(r = dbus_message_new_error_printf(m,
translate_error_forward(ret), strerror(-ret)));
^
/usr/src/packages/BUILD/rtkit-0.11/./rtkit-daemon.c:1371:25: error: format not
a string literal and no format arguments [-Werror=format-security]
assert_se(r = dbus_message_new_error_printf(m,
translate_error_forward(ret), strerror(-ret)));
^
/usr/src/packages/BUILD/rtkit-0.11/./rtkit-daemon.c:1388:25: error: format not
a string literal and no format arguments [-Werror=format-security]
assert_se(r = dbus_message_new_error_printf(m,
translate_error_forward(ret), strerror(-ret)));
^
/usr/src/packages/BUILD/rtkit-0.11/./rtkit-daemon.c:1413:25: error: format not
a string literal and no format arguments [-Werror=format-security]
assert_se(r = dbus_message_new_error_printf(m,
translate_error_forward(ret), strerror(-ret)));
^
/usr/src/packages/BUILD/rtkit-0.11/./rtkit-daemon.c:1418:25: error: format not
a string literal and no format arguments [-Werror=format-security]
assert_se(r = dbus_message_new_error_printf(m,
translate_error_forward(ret), strerror(-ret)));
^
/usr/src/packages/BUILD/rtkit-0.11/./rtkit-daemon.c:1423:25: error: format not
a string literal and no format arguments [-Werror=format-security]
assert_se(r = dbus_message_new_error_printf(m,
translate_error_forward(ret), strerror(-ret)));
^
Please find an attached patch to fix it.
- --
Cheers,
Andrew
-----BEGIN PGP SIGNATURE-----
iQI8BAEBCAAmBQJYqzVrHxxhbmRyZXcuc2hhZHVyYUBjb2xsYWJvcmEuY28udWsA
CgkQQWcbs0qEk4G3FhAAzXBp0ljgzhQ6c5rsUsYzLMHU0fumzp3PNX0Ta6OkUOe0
6DShV8EEI81ejLiViaVnvyoJ5ThwpbcYojRYXws0lDCn7xmqdRspB3zCrgnmWc34
naI1UyP/Nvk1QqVGWP91ZKh31BHjp2UHGeknLwA2e87ausZvAqAdH/5b81J3moRs
0FtEGj3qT+IUnYPqdaS1rMsqUeTP9ePuI8r8qbnjYxJ9pomcIspCBcNculJThO/1
MQnGcLnLjCxtJl7vQ8EDajLgpmv+zn+oD33FEMxMdl4aB25jU/YolFe/g3ijK9jP
4Mj6AIB7yIWsL8p+wDi/BfRkKHoXQNzMb+Lwe1WuTTcBjVcggpYe6IsTF9Ux9MA/
hSilxWiuj3ahIi/qboWvmZHGG3+F68Vcr0AC/7VxtDiKMgf45lkRLp4xF+S3WMFW
y871BCOz21LqUi1jXZK+ab6IYN6FoqwSPhsxrvCv8PzC56pLU5+tgp68ADrTkhZo
6w4luPWjkYu7otxsQ95vI2BeVVXdpGBSrkSciTI1KFOdzgnfxFCHFAT9p+FQlmS2
1lQe4O3x4JAtAfrZ4zB/JDPdRYUWSb0FK25F03jZ361DOnfnSbvSvDmIi05CscM3
82xjg8gjfP8QGjLDb/EYMaFzhOD3cVPXyL4OefXMcoFHDeNFoXVAdDUY3G4yVAs=
=RfGv
-----END PGP SIGNATURE-----
diff -Nru rtkit-0.11/debian/changelog rtkit-0.11/debian/changelog
--- rtkit-0.11/debian/changelog 2015-10-24 23:44:21.000000000 +0200
+++ rtkit-0.11/debian/changelog 2017-02-20 19:15:34.000000000 +0100
@@ -1,3 +1,11 @@
+rtkit (0.11-4.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Add a format string to dbus_message_new_error_printf (fixes an FTBFS due to
+ -Werror=format-security).
+
+ -- Andrew Shadura <andre...@debian.org> Mon, 20 Feb 2017 19:15:34 +0100
+
rtkit (0.11-4) unstable; urgency=medium
* Remove stale ubuntu.series file.
diff -Nru rtkit-0.11/debian/patches/0006-fix-format-strings.patch rtkit-0.11/debian/patches/0006-fix-format-strings.patch
--- rtkit-0.11/debian/patches/0006-fix-format-strings.patch 1970-01-01 01:00:00.000000000 +0100
+++ rtkit-0.11/debian/patches/0006-fix-format-strings.patch 2017-02-20 19:15:34.000000000 +0100
@@ -0,0 +1,68 @@
+From: Andrew Shadura <andrew.shad...@collabora.co.uk>
+Date: Mon, 20 Feb 2017 19:17:18 +0100
+Subject: Add a format string to dbus_message_new_error_printf (fixes an FTBFS
+ due to -Werror=format-security).
+Forwarded: no
+
+--- a/rtkit-daemon.c
++++ b/rtkit-daemon.c
+@@ -1333,7 +1333,7 @@
+ int ret;
+
+ if ((ret = verify_canary_refusal()) < 0) {
+- assert_se(r = dbus_message_new_error_printf(m, translate_error_forward(ret), strerror(-ret)));
++ assert_se(r = dbus_message_new_error_printf(m, translate_error_forward(ret), "%s", strerror(-ret)));
+ goto finish;
+ }
+
+@@ -1358,17 +1358,17 @@
+
+ if ((ret = lookup_client(&u, &p, &t, c, m, (pid_t)process, (pid_t) thread)) < 0) {
+ syslog(LOG_DEBUG, "Failed to look up client: %s\n", strerror(-ret));
+- assert_se(r = dbus_message_new_error_printf(m, translate_error_forward(ret), strerror(-ret)));
++ assert_se(r = dbus_message_new_error_printf(m, translate_error_forward(ret), "%s", strerror(-ret)));
+ goto finish;
+ }
+
+ if ((ret = verify_polkit(c, u, p, "org.freedesktop.RealtimeKit1.acquire-real-time")) < 0) {
+- assert_se(r = dbus_message_new_error_printf(m, translate_error_forward(ret), strerror(-ret)));
++ assert_se(r = dbus_message_new_error_printf(m, translate_error_forward(ret), "%s", strerror(-ret)));
+ goto finish;
+ }
+
+ if ((ret = process_set_realtime(u, p, t, priority))) {
+- assert_se(r = dbus_message_new_error_printf(m, translate_error_forward(ret), strerror(-ret)));
++ assert_se(r = dbus_message_new_error_printf(m, translate_error_forward(ret), "%s", strerror(-ret)));
+ goto finish;
+ }
+
+@@ -1385,7 +1385,7 @@
+ int ret;
+
+ if ((ret = verify_canary_refusal()) < 0) {
+- assert_se(r = dbus_message_new_error_printf(m, translate_error_forward(ret), strerror(-ret)));
++ assert_se(r = dbus_message_new_error_printf(m, translate_error_forward(ret), "%s", strerror(-ret)));
+ goto finish;
+ }
+
+@@ -1410,17 +1410,17 @@
+
+ if ((ret = lookup_client(&u, &p, &t, c, m, (pid_t)process, (pid_t) thread)) < 0) {
+ syslog(LOG_DEBUG, "Failed to look up client: %s\n", strerror(-ret));
+- assert_se(r = dbus_message_new_error_printf(m, translate_error_forward(ret), strerror(-ret)));
++ assert_se(r = dbus_message_new_error_printf(m, translate_error_forward(ret), "%s", strerror(-ret)));
+ goto finish;
+ }
+
+ if ((ret = verify_polkit(c, u, p, "org.freedesktop.RealtimeKit1.acquire-high-priority")) < 0) {
+- assert_se(r = dbus_message_new_error_printf(m, translate_error_forward(ret), strerror(-ret)));
++ assert_se(r = dbus_message_new_error_printf(m, translate_error_forward(ret), "%s", strerror(-ret)));
+ goto finish;
+ }
+
+ if ((ret = process_set_high_priority(u, p, t, priority))) {
+- assert_se(r = dbus_message_new_error_printf(m, translate_error_forward(ret), strerror(-ret)));
++ assert_se(r = dbus_message_new_error_printf(m, translate_error_forward(ret), "%s", strerror(-ret)));
+ goto finish;
+ }
+
diff -Nru rtkit-0.11/debian/patches/series rtkit-0.11/debian/patches/series
--- rtkit-0.11/debian/patches/series 2015-10-24 23:44:21.000000000 +0200
+++ rtkit-0.11/debian/patches/series 2017-02-20 19:15:34.000000000 +0100
@@ -3,3 +3,4 @@
0003-Fix-rtkit-test.patch
0004-link-with-rt.patch
0005-no-ptrace-cap.patch
+0006-fix-format-strings.patch
