Debian Bug report logs - #643422
libgd2: FTBFS: gdtestft.c:77:7: error: format not a string literal and no format arguments [-Werror=format-security]

version graph

Package: src:libgd2; Maintainer for src:libgd2 is GD team <pkg-gd-devel@lists.alioth.debian.org>;

Reported by: Didier Raboud <odyx@debian.org>

Date: Tue, 27 Sep 2011 12:38:22 UTC

Severity: serious

Tags: sid, wheezy

Found in version libgd2/2.0.36~rc1~dfsg-5.1

Fixed in version libgd2/2.0.36~rc1~dfsg-6

Done: Jonas Smedegaard <dr@jones.dk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, GD team <pkg-gd-devel@lists.alioth.debian.org>:
Bug#643422; Package src:libgd2. (Tue, 27 Sep 2011 12:38:26 GMT) Full text and rfc822 format available.

Acknowledgement sent to Didier Raboud <odyx@debian.org>:
New Bug report received and forwarded. Copy sent to GD team <pkg-gd-devel@lists.alioth.debian.org>. (Tue, 27 Sep 2011 12:38:26 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Didier Raboud <odyx@debian.org>
To: submit@bugs.debian.org
Subject: libgd2: FTBFS: gdtestft.c:77:7: error: format not a string literal and no format arguments [-Werror=format-security]
Date: Tue, 27 Sep 2011 14:32:25 +0200
Source: libgd2
Version: 2.0.36~rc1~dfsg-5.1
Severity: serious
Tags: wheezy sid
User: debian-qa@lists.debian.org
Usertags: qa-ftbfs-20110923 qa-ftbfs hardening-format-security hardening
Justification: FTBFS on amd64

Hi,

During a rebuild of all packages in sid, your package failed to build on
amd64.

Relevant part:
> gcc -DHAVE_CONFIG_H -I. -I/build/libgd2-1yNmzR/libgd2-2.0.36~rc1~dfsg/.   -I/usr/include/freetype2  -I/usr/include/libpng12  -g -O2 -fstack-protector --param=ssp-buffer-size=4 -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security -Wall -D_REENTRANT -pipe -c /build/libgd2-1yNmzR/libgd2-2.0.36~rc1~dfsg/./gdtestft.c
> /build/libgd2-1yNmzR/libgd2-2.0.36~rc1~dfsg/./gdtestft.c: In function 'main':
> /build/libgd2-1yNmzR/libgd2-2.0.36~rc1~dfsg/./gdtestft.c:77:7: error: format not a string literal and no format arguments [-Werror=format-security]
> /build/libgd2-1yNmzR/libgd2-2.0.36~rc1~dfsg/./gdtestft.c:149:7: error: format not a string literal and no format arguments [-Werror=format-security]
> /build/libgd2-1yNmzR/libgd2-2.0.36~rc1~dfsg/./gdtestft.c:156:7: error: format not a string literal and no format arguments [-Werror=format-security]
> /build/libgd2-1yNmzR/libgd2-2.0.36~rc1~dfsg/./gdtestft.c:163:7: error: format not a string literal and no format arguments [-Werror=format-security]
> cc1: some warnings being treated as errors
> 
> make[3]: *** [gdtestft.o] Error 1

The full build log is available from:
   http://people.debian.org/~lucas/logs/2011/09/23/libgd2_2.0.36~rc1~dfsg-5.1_lsid64.buildlog

This happened because since dpkg 1.16.0 [0], hardening flags are enabled 
under various conditions.

[0] http://lists.debian.org/debian-devel-announce/2011/09/msg00001.html

A list of current common problems and possible solutions is available at 
http://wiki.debian.org/qa.debian.org/FTBFS . You're welcome to contribute!

About the archive rebuild: The rebuild was done on about 50 AMD64 nodes
of the Grid'5000 platform, using a clean chroot.  Internet was not
accessible from the build systems.




Information forwarded to debian-bugs-dist@lists.debian.org, GD team <pkg-gd-devel@lists.alioth.debian.org>:
Bug#643422; Package src:libgd2. (Fri, 14 Oct 2011 20:33:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thorsten Glaser <tg@mirbsd.de>:
Extra info received and forwarded to list. Copy sent to GD team <pkg-gd-devel@lists.alioth.debian.org>. (Fri, 14 Oct 2011 20:33:03 GMT) Full text and rfc822 format available.

Message #10 received at 643422@bugs.debian.org (full text, mbox):

From: Thorsten Glaser <tg@mirbsd.de>
To: 643422@bugs.debian.org
Subject: libgd2: format-security FTBFS
Date: Fri, 14 Oct 2011 20:27:54 +0000 (UTC)
Hi,

can we have this fixed, pretty please? It prevents building on m68k,
where this version had not yet been built (but the previous, which,
due to the libjpeg transition, is no longer installable, so this is
pretty blocking there).

The correct fix is to replace
	char *foo = /* something */;
	printf(foo);
with
	printf("%s", foo);
or some putsish function.

I may NMU if I get bored enough and nothing happens in a week.

bye,
//mirabilos
-- 
  "Using Lynx is like wearing a really good pair of shades: cuts out
   the glare and harmful UV (ultra-vanity), and you feel so-o-o COOL."
                                         -- Henry Nelson, March 1999




Information forwarded to debian-bugs-dist@lists.debian.org, GD team <pkg-gd-devel@lists.alioth.debian.org>:
Bug#643422; Package src:libgd2. (Sat, 15 Oct 2011 20:30:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to 643422@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to GD team <pkg-gd-devel@lists.alioth.debian.org>. (Sat, 15 Oct 2011 20:30:03 GMT) Full text and rfc822 format available.

Message #15 received at 643422@bugs.debian.org (full text, mbox):

From: Jonas Smedegaard <dr@jones.dk>
To: Thorsten Glaser <tg@mirbsd.de>, 643422@bugs.debian.org
Subject: Re: [pkg-GD-devel] Bug#643422: libgd2: format-security FTBFS
Date: Sat, 15 Oct 2011 22:26:15 +0200
[Message part 1 (text/plain, inline)]
tags 643422 pending
thanks

Hi Thorsten,

On 11-10-14 at 08:27pm, Thorsten Glaser wrote:
> can we have this fixed, pretty please? It prevents building on m68k, 
> where this version had not yet been built (but the previous, which, 
> due to the libjpeg transition, is no longer installable, so this is 
> pretty blocking there).
> 
> The correct fix is to replace
> 	char *foo = /* something */;
> 	printf(foo);
> with
> 	printf("%s", foo);
> or some putsish function.
> 
> I may NMU if I get bored enough and nothing happens in a week.

Building now - thanks to your poking me.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private
[signature.asc (application/pgp-signature, inline)]

Added tag(s) pending. Request was from Jonas Smedegaard <dr@jones.dk> to control@bugs.debian.org. (Sat, 15 Oct 2011 20:30:04 GMT) Full text and rfc822 format available.

Reply sent to Jonas Smedegaard <dr@jones.dk>:
You have taken responsibility. (Sat, 15 Oct 2011 20:54:09 GMT) Full text and rfc822 format available.

Notification sent to Didier Raboud <odyx@debian.org>:
Bug acknowledged by developer. (Sat, 15 Oct 2011 20:54:09 GMT) Full text and rfc822 format available.

Message #22 received at 643422-close@bugs.debian.org (full text, mbox):

From: Jonas Smedegaard <dr@jones.dk>
To: 643422-close@bugs.debian.org
Subject: Bug#643422: fixed in libgd2 2.0.36~rc1~dfsg-6
Date: Sat, 15 Oct 2011 20:50:31 +0000
Source: libgd2
Source-Version: 2.0.36~rc1~dfsg-6

We believe that the bug you reported is fixed in the latest version of
libgd2, which is due to be installed in the Debian FTP archive:

libgd-tools_2.0.36~rc1~dfsg-6_amd64.deb
  to main/libg/libgd2/libgd-tools_2.0.36~rc1~dfsg-6_amd64.deb
libgd2-noxpm-dev_2.0.36~rc1~dfsg-6_amd64.deb
  to main/libg/libgd2/libgd2-noxpm-dev_2.0.36~rc1~dfsg-6_amd64.deb
libgd2-noxpm_2.0.36~rc1~dfsg-6_amd64.deb
  to main/libg/libgd2/libgd2-noxpm_2.0.36~rc1~dfsg-6_amd64.deb
libgd2-xpm-dev_2.0.36~rc1~dfsg-6_amd64.deb
  to main/libg/libgd2/libgd2-xpm-dev_2.0.36~rc1~dfsg-6_amd64.deb
libgd2-xpm_2.0.36~rc1~dfsg-6_amd64.deb
  to main/libg/libgd2/libgd2-xpm_2.0.36~rc1~dfsg-6_amd64.deb
libgd2_2.0.36~rc1~dfsg-6.debian.tar.gz
  to main/libg/libgd2/libgd2_2.0.36~rc1~dfsg-6.debian.tar.gz
libgd2_2.0.36~rc1~dfsg-6.dsc
  to main/libg/libgd2/libgd2_2.0.36~rc1~dfsg-6.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 643422@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Smedegaard <dr@jones.dk> (supplier of updated libgd2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 15 Oct 2011 22:23:42 +0200
Source: libgd2
Binary: libgd-tools libgd2-xpm-dev libgd2-noxpm-dev libgd2-xpm libgd2-noxpm
Architecture: source amd64
Version: 2.0.36~rc1~dfsg-6
Distribution: unstable
Urgency: low
Maintainer: GD team <pkg-gd-devel@lists.alioth.debian.org>
Changed-By: Jonas Smedegaard <dr@jones.dk>
Description: 
 libgd-tools - GD command line tools and example code
 libgd2-noxpm - GD Graphics Library version 2 (without XPM support)
 libgd2-noxpm-dev - GD Graphics Library version 2 (development version)
 libgd2-xpm - GD Graphics Library version 2
 libgd2-xpm-dev - GD Graphics Library version 2 (development version)
Closes: 595368 619537 621612 643422
Changes: 
 libgd2 (2.0.36~rc1~dfsg-6) unstable; urgency=low
 .
   * Acknowledge NMU.
     Closes: bug#619537, #621612. Thanks to Luk Claes.
   * Rewrite copyright file using draft 174 of DEP-5 format.
   * Add patch 0003 to fix support large images.
     Closes: bug#595368. Thanks to Teodor Milkov.
   * Add patch 0004 to fix printf string formatting.
     Closes: bug#643422. Thanks to Didier Raboud and Thorsten Glaser.
   * Bump Standards-Version to 3.9.2.
   * Bump debhelper compatibility level to 7.
   * Update package relations:
     + Tighten build-dependency on cdbs: Needed to support debhelper 7.
     + Relax build-depend unversioned on debhelper and devscripts: Needed
       versions satisfied even in oldstable.
Checksums-Sha1: 
 42405898104da982a587632ebfff369bbb4d7414 2366 libgd2_2.0.36~rc1~dfsg-6.dsc
 ef8755ee3a9a8a172322940b8dd2b59f2275876f 26351 libgd2_2.0.36~rc1~dfsg-6.debian.tar.gz
 4c99e135d450abe7694f7deebde9c03f27fc4db8 169912 libgd-tools_2.0.36~rc1~dfsg-6_amd64.deb
 55615e4f56f2b0ffd53aff61a0a406f47055aa3a 372602 libgd2-xpm-dev_2.0.36~rc1~dfsg-6_amd64.deb
 0d75b6ccbb1a0079be0187238d71bbf456006024 370194 libgd2-noxpm-dev_2.0.36~rc1~dfsg-6_amd64.deb
 b4f9c9c766b5741095d8d106682f18aaa1072b01 231476 libgd2-xpm_2.0.36~rc1~dfsg-6_amd64.deb
 52869a4c27c1307940910cd1b2532f64a704135f 229180 libgd2-noxpm_2.0.36~rc1~dfsg-6_amd64.deb
Checksums-Sha256: 
 caa117014ddc7622194286ae3e73504a187ac2eb98eb9a54ad5adb77395b17dd 2366 libgd2_2.0.36~rc1~dfsg-6.dsc
 b188c2c4c0832f42d7b41202e00a98f69e2c68aa28db247792870df59363b508 26351 libgd2_2.0.36~rc1~dfsg-6.debian.tar.gz
 d30e37cd7985582cc137cca99cc6672b7a38a27c347aa22c453ecfc71e223dc7 169912 libgd-tools_2.0.36~rc1~dfsg-6_amd64.deb
 f9c507f01a617d16cd7111449b84c83cb4c32f919b28b61f2a037ae70bea8a92 372602 libgd2-xpm-dev_2.0.36~rc1~dfsg-6_amd64.deb
 c986f100cd0abbdf10b117a08c81bded338bb5e2400a081f057c07f532f85a74 370194 libgd2-noxpm-dev_2.0.36~rc1~dfsg-6_amd64.deb
 e438f0e99240484885cdf50ee0869e0fa381861ed582074c6887c0b866129b33 231476 libgd2-xpm_2.0.36~rc1~dfsg-6_amd64.deb
 564ff414f497ce5368bd021545598f1bde72b4b58d1824cd8aaa21754f442400 229180 libgd2-noxpm_2.0.36~rc1~dfsg-6_amd64.deb
Files: 
 e9875c3607122e445b167e7d0abfe89f 2366 graphics optional libgd2_2.0.36~rc1~dfsg-6.dsc
 1e24d9b7d4f6f299d6e022eab0acd64e 26351 graphics optional libgd2_2.0.36~rc1~dfsg-6.debian.tar.gz
 877c662c3913ecae3bcc4780e9b96c98 169912 graphics optional libgd-tools_2.0.36~rc1~dfsg-6_amd64.deb
 3be236e03738d45464ec9a14cff21ba8 372602 libdevel optional libgd2-xpm-dev_2.0.36~rc1~dfsg-6_amd64.deb
 b01bd6d25e5251da194797b0d406d7b3 370194 libdevel optional libgd2-noxpm-dev_2.0.36~rc1~dfsg-6_amd64.deb
 b85e846462fbcc46380c07dfe2f9ffbb 231476 libs optional libgd2-xpm_2.0.36~rc1~dfsg-6_amd64.deb
 9b0bdbb1cc7de1510186e2585f36e3cd 229180 libs optional libgd2-noxpm_2.0.36~rc1~dfsg-6_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCgAGBQJOme7oAAoJECx8MUbBoAEhs5kQAKfFBuhGM1OZtQH8EUPjlzsD
35j5nV/eYeWSZO1YLgDwT4AdZ+TSj++4i0UOfnDFPBuIuiLMZvbR5Lygu2MOf5TM
3hSesx0QolmdejtCsCpVXKIAXwrvfaaEA2EeSEb/Hg/OC779RgAcm1c5f+pJdkDO
yT+BsHa5sKzFSDZtUFuYAzKYk0qM09YL1NY4c7MtyKQB74aRs9P5jNpowhXJ9aYj
quXdUxwoi+VBY5PGCjfycmnb3UkpvjvqoqZ4459ppAHusiA55tq26VJtzZEl6zDO
Awb1SAAgeyZvmg/oAnfOXfsXBsQ+Z3xjvAJfgHOxKoKWxwFMCVqHbs2CVQniP4h3
0hcr3o1laHV8X5ISIOdvzv9cu9RKR3rp5FyAJXnQNd5QbXIuYKyyp6vIG76fSmFF
CCs2k+HjUjpxhhzeGyfZQxETQbKxBtV+6DqHtMQO3yqQJsB7TGIqHBQ+CJVx4S2p
K9gQ2F+GPhbkODkrVT3qd5yU6IQsc7h4i5rZFtWnU27ZAmE54QLsCCnpOINScR5F
9SgZ5Z3W35ZD8HXePVlI0gIPjPscrvm7uVx5aNNdoV18NwdWhWZoK7WIMe2QAUBJ
QGvQy5q2ZxMcAEKe+pX6PCwJ/nz1dUS2AVhGZ/6Ctuz0o88rToRAbt3tnO3pd575
AqG/oYGZXhDVx4KdIPru
=fvzz
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 13 Nov 2011 07:33:39 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 20:45:14 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.