[OE-core] [PATCH] security_flags.inc: libidn fails to build w/ -Wformat-security
André Draszik
git at andred.net
Tue Jun 28 11:55:42 UTC 2016
On Mo, 2016-06-27 at 12:42 +0300, Alexander Kanavin wrote:
> On 06/27/2016 12:10 PM, Burton, Ross wrote:
> > ../../libidn-1.32/src/idn.c: In function 'main':
> > ../../libidn-1.32/src/idn.c:172:7: error: format not a string
> > literal and no format arguments [-Werror=format-security]
> > error (0, 0, _("only one of -s, -e, -d, -a, -u or -n can be
> > specified"));
> >
> >
> > As libidn will be dealing with data from the network it seems like the
> > sort of package that should be built with format-security enabled.
> > Wouldn't it be better to fix up the calls to error() instead?
Yes, and no :-)
idn.c is a command line utility and the gcc warnings are all from error
messages printed, e.g. when giving incorrect command line arguments. But it
makes sense in case future versions add more issues in other places as they
would go unnoticed otherwise.
> Also, in general the point of adding this check was that we try to fix
> the problems in the code. Adding packages to the list of exceptions is
> missing the point :)
>
> Please write a patch - I'd say we should accept new exceptions only if
> fixing the code is shown to be too difficult.
http://lists.openembedded.org/pipermail/openembedded-core/2016-June/123327.html
a.
More information about the Openembedded-core
mailing list