Control: tags -1 + fixed-upstream On 2021-10-24 05:56 -0700, Robert Woodcock wrote:
> On 10/24/21 4:36 AM, Rogier Wolff wrote: >> >> I think this is perfectly legal C code and your compiler doesn't like >> it. It doesn't just warn, but gives an error. >> >> Roger. > Rogier, that is a 100% true statement, but Debian (and most other > distributions) have started using the -Werror=format-security build flag for > everything everywhere because leaving all of these calls as-is means, in > certain cases, leaving vulnerabilities in. Sure, you can prove that mtr's > code introduces no such vulnerabilities because none of the format specs are > user-supplied, but it's probably not reasonable to expect that that would be > a one-time effort, whereas changing the code would be. In the meantime upstream has accepted a pull request (not tested by me): https://github.com/traviscross/mtr/commit/aeb493e08eabcb4e6178bda0bb84e9cd01c9f213 Cheers, Sven
