Hi! On Thu, 2024-01-04 at 14:04:50 -0800, Steve Langasek wrote: > Package: acl > Version: 2.3.1-4 > Severity: normal > Tags: patch > User: ubuntu-de...@lists.ubuntu.com > Usertags: origin-ubuntu noble ubuntu-patch
> This traces back to a use of a 0-length array in a struct as a flexible > variable-length array, which confuses the compiler's + glibc's string > hardening and results in a false-positive detection of a buffer overflow. > > While this false-positive could be avoided by downgrading from > _FORTIFY_SOURCE=3 back to _FORTIFY_SOURCE=2, that would also weaken our > ability to detect actual bugs, so instead I've prepared the attached patch > to make the flexible array implementation compatible with the gcc hardening > implementation, as described at > <https://people.kernel.org/kees/bounded-flexible-arrays-in-c>. Thanks for the analysis and patch, I can confirm the issue and the fix. I've queued this for my next upload to unstable, which I'll be doing after a quick one into experimental. Regards, Guillem