Bug#654270: gnusound: FTBFS on armhf, reproduced on amd64: error: format not a string literal and no format arguments [-Werror=format-security]
Coin, Quoting Jonathan Nieder jrnie...@gmail.com: Format string includes filename, which I believe can be arbitrary. Looks like a low-severity security bug. (Attacker tricks victim into opening sound file with funny name. Then...) Yes, that's true for any package needing a format-security patch. I'll prepare a package for stable, but i'm gonna solve the problem in unstable by a removal, as nobody has stepped to handle maintainership since i asked for help on #622013 and alerted the GNU application maintainer. Regards. -- Marc Dequènes (Duck) pgpGmZXdyczIl.pgp Description: PGP Digital Signature
Bug#654270: gnusound: FTBFS on armhf, reproduced on amd64: error: format not a string literal and no format arguments [-Werror=format-security]
On Tue, Jan 31, 2012 at 10:22:20AM +0100, Marc Dequènes (Duck) wrote: Coin, Quoting Jonathan Nieder jrnie...@gmail.com: Format string includes filename, which I believe can be arbitrary. Looks like a low-severity security bug. (Attacker tricks victim into opening sound file with funny name. Then...) Yes, that's true for any package needing a format-security patch. I'll prepare a package for stable, but i'm gonna solve the problem in unstable by a removal, as nobody has stepped to handle maintainership since i asked for help on #622013 and alerted the GNU application maintainer. The impact is very low, please fix this through a point update: http://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#654270: gnusound: FTBFS on armhf, reproduced on amd64: error: format not a string literal and no format arguments [-Werror=format-security]
tags 654270 + upstream security quit Konstantinos Margaritis wrote: src/gtk2/gui_dialogs.c:59:37: error: format not a string literal and no format arguments [-Werror=format-security] Format string includes filename, which I believe can be arbitrary. Looks like a low-severity security bug. (Attacker tricks victim into opening sound file with funny name. Then...) Hope that helps, Jonathan -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#654270: gnusound: FTBFS on armhf, reproduced on amd64: error: format not a string literal and no format arguments [-Werror=format-security]
Package: gnusound Version: 0.7.5-3 Severity: serious https://buildd.debian.org/status/package.php?p=gnusoundsuite=sid gnusound FTBFS on armhf, but I did reproduce the failure on amd64, hence the severity set to serious. Here is a small excerpt from the build log: cc `cat .cflags` -c src/gtk2/gui_dialogs.c -o src/gtk2/gui_dialogs.o src/gtk2/gui_dialogs.c: In function 'gui_yes_no': src/gtk2/gui_dialogs.c:59:37: error: format not a string literal and no format arguments [-Werror=format-security] src/gtk2/gui_dialogs.c: In function 'gui_alert': src/gtk2/gui_dialogs.c:98:37: error: format not a string literal and no format arguments [-Werror=format-security] cc1: some warnings being treated as errors make[1]: *** [src/gtk2/gui_dialogs.o] Error 1 Konstantinos -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
