forwarded 661536 https://rt.cpan.org/Public/Bug/Display.html?id=75642 severity 661536 grave tag 661536 security patch found 661536 2.17.1-2 thanks
On Mon, Feb 27, 2012 at 09:31:31PM +0000, Dominic Hargreaves wrote: > Source: libdbd-pg-perl > Severity: normal > Version: 2.18.1-1 > > With hardening flags enabled, this package FTBFS: > > dbdimp.c: In function 'pg_warn': > dbdimp.c:331:4: error: format not a string literal and no format arguments > [-Werror=format-security] > dbdimp.c: In function 'pg_st_prepare': > dbdimp.c:1534:4: error: format not a string literal and no format arguments > [-Werror=format-security] > cc1: some warnings being treated as errors These format strings can be injected by a malicious server, so raising the severity. A DSA will be issued for squeeze. I've just notified upstream via the RT ticket. Could somebody from the pkg-perl team (I believe Dominic already volunteered) please prepare updated packages (built with -sa for stable-security as this is new there)? Trivial patch attached. -- Niko Tyni nt...@debian.org
>From f014710c05e4952385c8223a47bb1fcb7b48b51a Mon Sep 17 00:00:00 2001 From: Niko Tyni <nt...@debian.org> Date: Sat, 3 Mar 2012 21:50:32 +0200 Subject: [PATCH] Explicitly warn and croak with controlled format strings This fixes builds with 'gcc -Werror=format-security'. --- dbdimp.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/dbdimp.c b/dbdimp.c index c298e85..7032f79 100644 --- a/dbdimp.c +++ b/dbdimp.c @@ -328,7 +328,7 @@ static void pg_warn (void * arg, const char * message) DBIc_is(imp_dbh, DBIcf_PrintWarn) ? 1 : 0); if (DBIc_WARN(imp_dbh) && DBIc_is(imp_dbh, DBIcf_PrintWarn)) - warn(message); + warn("%s", message); if (TEND) TRC(DBILOGFP, "%sEnd pg_warn\n", THEADER); } @@ -1531,7 +1531,7 @@ int dbd_st_prepare (SV * sth, imp_sth_t * imp_sth, char * statement, SV * attrib if (pg_st_prepare_statement(aTHX_ sth, imp_sth)!=0) { TRACE_PQERRORMESSAGE; - croak (PQerrorMessage(imp_dbh->conn)); + croak ("%s", PQerrorMessage(imp_dbh->conn)); } } -- 1.7.9.1