Bug#997174: netdiag: FTBFS: statnet.c:471:32: error: format not a string literal and no format arguments [-Werror=format-security]

[Reiner Herrmann]

Control: tags -1 + pending
Control: tags -1 + patch

Dear maintainer,

I've prepared an NMU for netdiag (versioned as 1.2-1.2) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards,
  Reiner

diff -u netdiag-1.2/debian/changelog netdiag-1.2/debian/changelog
--- netdiag-1.2/debian/changelog
+++ netdiag-1.2/debian/changelog
@@ -1,3 +1,10 @@
+netdiag (1.2-1.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Use fixed format strings in mvprintw calls. (Closes: #997174)
+
+ -- Reiner Herrmann <rei...@reiner-h.de>  Sun, 16 Oct 2022 15:28:17 +0200
+
 netdiag (1.2-1.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -u netdiag-1.2/debian/patches/series netdiag-1.2/debian/patches/series
--- netdiag-1.2/debian/patches/series
+++ netdiag-1.2/debian/patches/series
@@ -8,3 +8,4 @@
 clang-ftbfs.diff
 gcc-10.diff
 pcap_init.diff
+gcc12.patch
only in patch2:
unchanged:
--- netdiag-1.2.orig/debian/patches/gcc12.patch
+++ netdiag-1.2/debian/patches/gcc12.patch
@@ -0,0 +1,51 @@
+Author: Reiner Herrmann <rei...@reiner-h.de>
+Bug-Debian: https://bugs.debian.org/997174
+Description: Use fixed format string in mvprintw to prevent format string vulnerabilities
+
+--- a/statnet-3.8/statnet.c
++++ b/statnet-3.8/statnet.c
+@@ -467,7 +467,7 @@
+ #define min(a,b) (((a) > (b)) ? (b) : (a))
+       if( COLS < 25 + min( 25, strlen( StatMem->servername ) ) )
+       {
+-        mvprintw (0, (COLS - min( 25, strlen( StatMem->servername ) )) / 2,
++        mvprintw (0, (COLS - min( 25, strlen( StatMem->servername ) )) / 2, "%s",
+ 			StatMem->servername);
+       }
+       else
+@@ -475,13 +475,13 @@
+         if( ((COLS/2) + 14) > COLS - min( 25, strlen( StatMem->servername )+1 ) )
+         {
+           mvprintw (0, 0, "STATISTICS OF NETWORKS");
+-          mvprintw (0, (COLS - min( 25, strlen( StatMem->servername )+1 )),
++          mvprintw (0, (COLS - min( 25, strlen( StatMem->servername )+1 )), "%s",
+ 	  		StatMem->servername);
+         }
+ 	else
+         {
+           mvprintw (0, (COLS - 22) / 2, "STATISTICS OF NETWORKS");
+-          mvprintw (0, (COLS - min( 25, strlen( StatMem->servername )+1 )),
++          mvprintw (0, (COLS - min( 25, strlen( StatMem->servername )+1 )), "%s",
+ 	  		StatMem->servername);
+         }
+       }
+--- a/netwatch-1.3.1-2/dispdata.c
++++ b/netwatch-1.3.1-2/dispdata.c
+@@ -1488,7 +1488,7 @@
+ 	      fprintf (fpspeclog, "%s\n", ttt);
+ 	    else
+ 	      //!!mvprintw (yact, xleft, "%s",ttt);
+-	      mvprintw (yact, xleft, ttt);
++	      mvprintw (yact, xleft, "%s", ttt);
+ 	    attron (col4);
+ 	    if (current->update)
+ 	    {
+@@ -1736,7 +1736,7 @@
+ 	      fprintf (fpspeclog, "%s\n", ttt);
+ 	    else
+ 	      //!!mvprintw (yact, xright,"%s", ttt);
+-	      mvprintw (yact, xright, ttt);
++	      mvprintw (yact, xright, "%s", ttt);
+ 	    attron (col4);
+ 	    if (current->update)
+ 	    {