[OE-core] [PATCH] bash: add patch to build w/ -Wformat-security
Khem Raj
raj.khem at gmail.com
Wed Jul 27 00:39:38 UTC 2016
This change is good. please install it. I think we should think of using security flags as default for AB
since thats much stricter and will catch more errors than normal flags. Eventually, in 2.3 timeframe we
should contemplate hardening toolchain to default to PIE/pie
> On Jul 26, 2016, at 8:26 AM, André Draszik <git at andred.net> wrote:
>
> From: André Draszik <adraszik at tycoint.com>
>
> Signed-off-by: André Draszik <adraszik at tycoint.com>
> ---
> ...1-help-fix-printf-format-security-warning.patch | 35 ++++++++++++++++++++++
> meta/recipes-extended/bash/bash_4.3.30.bb | 1 +
> 2 files changed, 36 insertions(+)
> create mode 100644 meta/recipes-extended/bash/bash/0001-help-fix-printf-format-security-warning.patch
>
> diff --git a/meta/recipes-extended/bash/bash/0001-help-fix-printf-format-security-warning.patch b/meta/recipes-extended/bash/bash/0001-help-fix-printf-format-security-warning.patch
> new file mode 100644
> index 0000000..5405c84
> --- /dev/null
> +++ b/meta/recipes-extended/bash/bash/0001-help-fix-printf-format-security-warning.patch
> @@ -0,0 +1,35 @@
> +From e5837a42f8f48a6a721805ff8f7fcd32861d09ca Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?Andr=C3=A9=20Draszik?= <adraszik at tycoint.com>
> +Date: Tue, 26 Jul 2016 13:09:47 +0100
> +Subject: [PATCH] help: fix printf() format security warning
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +| ../../bash-4.3.30/builtins/../../bash-4.3.30/builtins/help.def: In function 'help_builtin':
> +| ../../bash-4.3.30/builtins/../../bash-4.3.30/builtins/help.def:130:7: error: format not a string literal and no format arguments [-Werror=format-security]
> +| printf (ngettext ("Shell commands matching keyword `", "Shell commands matching keywords `", (list->next ? 2 : 1)));
> +| ^~~~~~
> +
> +Signed-off-by: André Draszik <adraszik at tycoint.com>
> +---
> +Upstream-Status: Pending
> + builtins/help.def | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/builtins/help.def b/builtins/help.def
> +index 1894f17..cf624c6 100644
> +--- a/builtins/help.def
> ++++ b/builtins/help.def
> +@@ -127,7 +127,7 @@ help_builtin (list)
> +
> + if (glob_pattern_p (list->word->word))
> + {
> +- printf (ngettext ("Shell commands matching keyword `", "Shell commands matching keywords `", (list->next ? 2 : 1)));
> ++ printf ("%s", ngettext ("Shell commands matching keyword `", "Shell commands matching keywords `", (list->next ? 2 : 1)));
> + print_word_list (list, ", ");
> + printf ("'\n\n");
> + }
> +--
> +2.8.1
> +
> diff --git a/meta/recipes-extended/bash/bash_4.3.30.bb b/meta/recipes-extended/bash/bash_4.3.30.bb
> index 95ed392..16a3139 100644
> --- a/meta/recipes-extended/bash/bash_4.3.30.bb
> +++ b/meta/recipes-extended/bash/bash_4.3.30.bb
> @@ -21,6 +21,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BP}.tar.gz;name=tarball \
> file://fix-run-coproc-run-heredoc-run-execscript-run-test-f.patch \
> file://run-ptest \
> file://fix-run-builtins.patch \
> + file://0001-help-fix-printf-format-security-warning.patch \
> "
>
> SRC_URI[tarball.md5sum] = "a27b3ee9be83bd3ba448c0ff52b28447"
> --
> 2.8.1
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core at lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 204 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20160726/df5df67c/attachment-0002.sig>
More information about the Openembedded-core
mailing list