[OE-core] [PATCH] meta:recipes-extended: zip fix security gaps

Khem Raj raj.khem at gmail.com
Mon May 16 23:08:46 UTC 2016 

> On May 16, 2016, at 3:06 PM, Edwin Plauchu <edwin.plauchu.camacho at linux.intel.com> wrote:
> 
> From: Edwin Plauchu <edwin.plauchu.camacho at intel.com>
> 
> This patch avoids zip recipe fails to compile with compiler flags which elevate common string formatting issues into an error (-Wformat -Wformat-security -Werror=format-security).
> 
> [YOCTO #9552]
> 
> Signed-off-by: Edwin Plauchu <edwin.plauchu.camacho at intel.com>
> ---
> meta/conf/distro/include/security_flags.inc        |  1 -
> .../zip/zip-3.0/fix-security-format.patch          | 42 ++++++++++++++++++++++
> meta/recipes-extended/zip/zip.inc                  |  3 +-
> 3 files changed, 44 insertions(+), 2 deletions(-)
> create mode 100644 meta/recipes-extended/zip/zip-3.0/fix-security-format.patch
> 
> diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
> index 7a91cec..bb1a398 100644
> --- a/meta/conf/distro/include/security_flags.inc
> +++ b/meta/conf/distro/include/security_flags.inc
> @@ -107,7 +107,6 @@ SECURITY_STRINGFORMAT_pn-makedevs = ""
> SECURITY_STRINGFORMAT_pn-oh-puzzles = ""
> SECURITY_STRINGFORMAT_pn-stat = ""
> SECURITY_STRINGFORMAT_pn-unzip = ""
> -SECURITY_STRINGFORMAT_pn-zip = ""
> 
> TARGET_CFLAGS_append_class-target = " ${SECURITY_CFLAGS}"
> TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}"
> diff --git a/meta/recipes-extended/zip/zip-3.0/fix-security-format.patch b/meta/recipes-extended/zip/zip-3.0/fix-security-format.patch
> new file mode 100644
> index 0000000..b745c6b
> --- /dev/null
> +++ b/meta/recipes-extended/zip/zip-3.0/fix-security-format.patch
> @@ -0,0 +1,42 @@
> +meta: recipes-extended: Fixing security formatting issues on zip
> +
> +Fix security formatting issues related to printing without NULL argument
> +
> +zip.c: In function 'help_extended':
> +zip.c:1031:5: error: format not a string literal and no format arguments [-Werror=format-security]
> +     printf(text[i]);
> +     ^
> +zip.c: In function 'version_info':
> +zip.c:1228:5: error: format not a string literal and no format arguments [-Werror=format-security]
> +     printf(cryptnote[i]);
> +     ^
> +
> +[YOCTO #9552]
> +[https://bugzilla.yoctoproject.org/show_bug.cgi?id=9552]
> +
> +Upstream-Status: Pending
> +
> +Signed-off-by: Edwin Plauchu <edwin.plauchu.camacho at intel.com>
> +
> +diff --git a/zip.c b/zip.c
> +index 439821f..2ef57e3 100644
> +--- a/zip.c
> ++++ b/zip.c
> +@@ -1028,7 +1028,7 @@ local void help_extended()
> +
> +   for (i = 0; i < sizeof(text)/sizeof(char *); i++)
> +   {
> +-    printf(text[i]);
> ++    printf( text[i] , NULL );

same issue as discussed in another similar patch. if text[i] is not supposed
to be a printf format string, then qualify it with one e.g. “%s” is mostly what
you want since they are usually strings otherwise.

> +     putchar('\n');
> +   }
> + #ifdef DOS
> +@@ -1225,7 +1225,7 @@ local void version_info()
> +             CR_MAJORVER, CR_MINORVER, CR_BETA_VER, CR_VERSION_DATE);
> +   for (i = 0; i < sizeof(cryptnote)/sizeof(char *); i++)
> +   {
> +-    printf(cryptnote[i]);
> ++    printf( cryptnote[i] , NULL );
> +     putchar('\n');
> +   }
> +   ++i;  /* crypt support means there IS at least one compilation option */
> diff --git a/meta/recipes-extended/zip/zip.inc b/meta/recipes-extended/zip/zip.inc
> index 6221c5e..fac3a9f 100644
> --- a/meta/recipes-extended/zip/zip.inc
> +++ b/meta/recipes-extended/zip/zip.inc
> @@ -5,7 +5,8 @@ SECTION = "console/utils"
> LICENSE = "BSD-3-Clause"
> LIC_FILES_CHKSUM = "file://LICENSE;md5=04d43c5d70b496c032308106e26ae17d"
> 
> -SRC_URI = "ftp://ftp.info-zip.org/pub/infozip/src/zip${@d.getVar('PV',1).replace('.', '')}.tgz"
> +SRC_URI = "ftp://ftp.info-zip.org/pub/infozip/src/zip${@d.getVar('PV',1).replace('.', '')}.tgz \
> +           file://fix-security-format.patch"
> 
> EXTRA_OEMAKE = "'CC=${CC}' 'BIND=${CC}' 'AS=${CC} -c' 'CPP=${CPP}' \
> 		'CFLAGS=-I. -DUNIX ${CFLAGS}' 'INSTALL=install' \
> --
> 1.9.1
> 
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core at lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 204 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20160516/404d51aa/attachment-0002.sig>

More information about the Openembedded-core mailing list