unofficial mirror of bug-gnu-emacs@gnu.org 
 help / color / mirror / code / Atom feed
* bug#10591: Bug#655118: Please enabled hardened build flags
       [not found] ` <20120108180151.GA919@pisco.westfalen.local>
@ 2012-01-24  5:02   ` Rob Browning
  2012-01-24  5:05     ` bug#10592: " Rob Browning
  0 siblings, 1 reply; 9+ messages in thread
From: Rob Browning @ 2012-01-24  5:02 UTC (permalink / raw)
  To: 10591; +Cc: 655118, 655118-forwarded, Moritz Mühlenhoff


> Alexandru Cardaniuc <cardaniuc@gmail.com> writes:



Moritz Mühlenhoff <jmm@inutil.org> writes:

> On Sun, Jan 08, 2012 at 06:13:59PM +0100, Moritz Muehlenhoff wrote:
>> Package: emacs23
>> Version: 23.3+1-4
>> Severity: important
>> Tags: patch
>> 
>> Hi Rob,
>> Please enabled hardened build flags through dpkg-buildflags.
>> 
>> Patch attached. (dpkg-buildflags abides "noopt" from DEB_BUILD_OPTIONS)
>
> I forgot to add that "-Wformat -Wformat-security -Werror=format-security"
> exposed missing format strings in movemail, for which I attach a patch.
>
> Cheers,
>         Moritz
>

-- 
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4





^ permalink raw reply	[flat|nested] 9+ messages in thread

* bug#10592: Bug#655118: Please enabled hardened build flags
  2012-01-24  5:02   ` bug#10591: Bug#655118: Please enabled hardened build flags Rob Browning
@ 2012-01-24  5:05     ` Rob Browning
  2012-01-24  6:06       ` Eli Zaretskii
  2012-01-31  4:22       ` Paul Eggert
  0 siblings, 2 replies; 9+ messages in thread
From: Rob Browning @ 2012-01-24  5:05 UTC (permalink / raw)
  To: 10592; +Cc: 655118, 655118-forwarded, Moritz Mühlenhoff


(Sorry, accidentally hit send too early.)

Mortiz updated Emacs to support -Wformat -Wformat-security
-Werror=format-security.

Here are the relevant changes (further details are available at
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=655118):

diff -aur emacs23-23.3+1.orig/lib-src/movemail.c emacs23-23.3+1/lib-src/movemail.c
--- emacs23-23.3+1.orig/lib-src/movemail.c	2011-12-29 05:07:27.000000000 +0100
+++ emacs23-23.3+1/lib-src/movemail.c	2012-01-08 17:31:22.000000000 +0100
@@ -615,11 +615,11 @@
 {
   fprintf (stderr, "movemail: ");
   if (s3)
-    fprintf (stderr, s1, s2, s3);
+    fprintf (stderr, "%s%s%s", s1, s2, s3);
   else if (s2)
-    fprintf (stderr, s1, s2);
+    fprintf (stderr, "%s%s", s1, s2);
   else
-    fprintf (stderr, s1);
+    fprintf (stderr, "%s", s1);
   fprintf (stderr, "\n");
 }
 
Thanks
-- 
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4





^ permalink raw reply	[flat|nested] 9+ messages in thread

* bug#10592: Bug#655118: Please enabled hardened build flags
  2012-01-24  5:05     ` bug#10592: " Rob Browning
@ 2012-01-24  6:06       ` Eli Zaretskii
  2012-01-24 16:17         ` Rob Browning
  2012-01-25  2:22         ` Rob Browning
  2012-01-31  4:22       ` Paul Eggert
  1 sibling, 2 replies; 9+ messages in thread
From: Eli Zaretskii @ 2012-01-24  6:06 UTC (permalink / raw)
  To: Rob Browning; +Cc: 10592, 655118-forwarded, jmm, 655118

> From: Rob Browning <rlb@defaultvalue.org>
> Date: Mon, 23 Jan 2012 23:05:26 -0600
> Cc: 655118@bugs.debian.org, 655118-forwarded@bugs.debian.org,
> 	Moritz Mühlenhoff <jmm@inutil.org>
> 
> --- emacs23-23.3+1.orig/lib-src/movemail.c	2011-12-29 05:07:27.000000000 +0100
> +++ emacs23-23.3+1/lib-src/movemail.c	2012-01-08 17:31:22.000000000 +0100
> @@ -615,11 +615,11 @@
>  {
>    fprintf (stderr, "movemail: ");
>    if (s3)
> -    fprintf (stderr, s1, s2, s3);
> +    fprintf (stderr, "%s%s%s", s1, s2, s3);
>    else if (s2)
> -    fprintf (stderr, s1, s2);
> +    fprintf (stderr, "%s%s", s1, s2);
>    else
> -    fprintf (stderr, s1);
> +    fprintf (stderr, "%s", s1);
>    fprintf (stderr, "\n");
>  }

How can this possibly be TRT?  The commentary to this function says:

  /* Print error message.  `s1' is printf control string, `s2' and `s3'
     are args for it or null. */

If S1 is the printf control string, how will printing it with %s DTRT?
E.g., in this invocation:

      error ("Error connecting to POP server: %s", pop_error, 0);

or in this one:

      error ("Error in open: %s, %s", strerror (errno), outfile);

I think the right fix for this is to declare `error' with the
appropriate printf attribute.  Alternatively, you could use variable
argument lists and call vprintf instead.





^ permalink raw reply	[flat|nested] 9+ messages in thread

* bug#10592: Bug#655118: Please enabled hardened build flags
  2012-01-24  6:06       ` Eli Zaretskii
@ 2012-01-24 16:17         ` Rob Browning
  2012-01-25  2:22         ` Rob Browning
  1 sibling, 0 replies; 9+ messages in thread
From: Rob Browning @ 2012-01-24 16:17 UTC (permalink / raw)
  To: Eli Zaretskii; +Cc: 10592, 655118-forwarded, jmm, 655118

Eli Zaretskii <eliz@gnu.org> writes:

> How can this possibly be TRT?  The commentary to this function says:

I actually wondered the same thing while I was going to sleep.
Obviously I got in too big a hurry last night.  I'll fix it correctly
myself and re-send.

Thanks, and apologies for the noise.
-- 
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4





^ permalink raw reply	[flat|nested] 9+ messages in thread

* bug#10592: Bug#655118: Please enabled hardened build flags
  2012-01-24  6:06       ` Eli Zaretskii
  2012-01-24 16:17         ` Rob Browning
@ 2012-01-25  2:22         ` Rob Browning
  2012-01-25  6:40           ` Eli Zaretskii
  1 sibling, 1 reply; 9+ messages in thread
From: Rob Browning @ 2012-01-25  2:22 UTC (permalink / raw)
  To: Eli Zaretskii; +Cc: 10592, 655118-forwarded, jmm, 655118

Eli Zaretskii <eliz@gnu.org> writes:

> I think the right fix for this is to declare `error' with the
> appropriate printf attribute.  Alternatively, you could use variable
> argument lists and call vprintf instead.

Would something like this be acceptable, and if not, how would you like
to see it adjusted?  The patch changes error() to use an ANSI
declaration, and it relies on the printf format attribute:

diff --git a/lib-src/movemail.c b/lib-src/movemail.c
index 58add49..6b2fc20 100644
--- a/lib-src/movemail.c
+++ b/lib-src/movemail.c
@@ -60,6 +60,7 @@ along with GNU Emacs.  If not, see <http://www.gnu.org/licenses/>.  */
 #include <sys/file.h>
 #include <stdio.h>
 #include <errno.h>
+#include <stdarg.h>
 #include <time.h>
 
 #include <getopt.h>
@@ -152,7 +153,7 @@ extern char *rindex __P((const char *, int));
 #endif
 
 void fatal ();
-void error ();
+void error (const char *template, ...) __attribute__ ((format (printf, 1, 2)));
 void pfatal_with_name ();
 void pfatal_and_delete ();
 char *concat ();
@@ -610,16 +611,13 @@ fatal (s1, s2, s3)
    are args for it or null. */
 
 void
-error (s1, s2, s3)
-     char *s1, *s2, *s3;
+error (const char *template, ...)
 {
+  va_list ap;
   fprintf (stderr, "movemail: ");
-  if (s3)
-    fprintf (stderr, s1, s2, s3);
-  else if (s2)
-    fprintf (stderr, s1, s2);
-  else
-    fprintf (stderr, s1);
+  va_start (ap, template);
+  vfprintf (stderr, template, ap);
+  va_end (ap);
   fprintf (stderr, "\n");
 }
 
@@ -733,13 +731,13 @@ popmail (mailbox, outfile, preserve, password, reverse_order)
   server = pop_open (hostname, user, password, POP_NO_GETPASS);
   if (! server)
     {
-      error ("Error connecting to POP server: %s", pop_error, 0);
+      error ("Error connecting to POP server: %s", pop_error);
       return EXIT_FAILURE;
     }
 
   if (pop_stat (server, &nmsgs, &nbytes))
     {
-      error ("Error getting message count from POP server: %s", pop_error, 0);
+      error ("Error getting message count from POP server: %s", pop_error);
       return EXIT_FAILURE;
     }
 
@@ -761,7 +759,7 @@ popmail (mailbox, outfile, preserve, password, reverse_order)
   if ((mbf = fdopen (mbfi, "wb")) == NULL)
     {
       pop_close (server);
-      error ("Error in fdopen: %s", strerror (errno), 0);
+      error ("Error in fdopen: %s", strerror (errno));
       close (mbfi);
       unlink (outfile);
       return EXIT_FAILURE;
@@ -785,7 +783,7 @@ popmail (mailbox, outfile, preserve, password, reverse_order)
       mbx_delimit_begin (mbf);
       if (pop_retr (server, i, mbf) != OK)
 	{
-	  error ("%s", Errmsg, 0);
+	  error ("%s", Errmsg);
 	  close (mbfi);
 	  return EXIT_FAILURE;
 	}
@@ -793,7 +791,7 @@ popmail (mailbox, outfile, preserve, password, reverse_order)
       fflush (mbf);
       if (ferror (mbf))
 	{
-	  error ("Error in fflush: %s", strerror (errno), 0);
+	  error ("Error in fflush: %s", strerror (errno));
 	  pop_close (server);
 	  close (mbfi);
 	  return EXIT_FAILURE;
@@ -809,14 +807,14 @@ popmail (mailbox, outfile, preserve, password, reverse_order)
 #ifdef BSD_SYSTEM
   if (fsync (mbfi) < 0)
     {
-      error ("Error in fsync: %s", strerror (errno), 0);
+      error ("Error in fsync: %s", strerror (errno));
       return EXIT_FAILURE;
     }
 #endif
 
   if (close (mbfi) == -1)
     {
-      error ("Error in close: %s", strerror (errno), 0);
+      error ("Error in close: %s", strerror (errno));
       return EXIT_FAILURE;
     }
 
@@ -825,7 +823,7 @@ popmail (mailbox, outfile, preserve, password, reverse_order)
       {
 	if (pop_delete (server, i))
 	  {
-	    error ("Error from POP server: %s", pop_error, 0);
+	    error ("Error from POP server: %s", pop_error);
 	    pop_close (server);
 	    return EXIT_FAILURE;
 	  }
@@ -833,7 +831,7 @@ popmail (mailbox, outfile, preserve, password, reverse_order)
 
   if (pop_quit (server))
     {
-      error ("Error from POP server: %s", pop_error, 0);
+      error ("Error from POP server: %s", pop_error);
       return EXIT_FAILURE;
     }
 
-- 
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4





^ permalink raw reply related	[flat|nested] 9+ messages in thread

* bug#10592: Bug#655118: Please enabled hardened build flags
  2012-01-25  2:22         ` Rob Browning
@ 2012-01-25  6:40           ` Eli Zaretskii
  2012-01-26  3:13             ` Rob Browning
  0 siblings, 1 reply; 9+ messages in thread
From: Eli Zaretskii @ 2012-01-25  6:40 UTC (permalink / raw)
  To: Rob Browning; +Cc: 10592, 655118-forwarded, jmm, 655118

> From: Rob Browning <rlb@defaultvalue.org>
> Cc: 10592@debbugs.gnu.org,  655118@bugs.debian.org,  655118-forwarded@bugs.debian.org,  jmm@inutil.org
> Date: Tue, 24 Jan 2012 20:22:52 -0600
> 
> Eli Zaretskii <eliz@gnu.org> writes:
> 
> > I think the right fix for this is to declare `error' with the
> > appropriate printf attribute.  Alternatively, you could use variable
> > argument lists and call vprintf instead.
> 
> Would something like this be acceptable, and if not, how would you like
> to see it adjusted?  The patch changes error() to use an ANSI
> declaration, and it relies on the printf format attribute:

This is fine with me, but please use ATTRIBUTE_FORMAT_PRINTF (defined
in src/config.h) instead of a literal __attribute__(...), which is a
GCC-only thing.

Thanks.





^ permalink raw reply	[flat|nested] 9+ messages in thread

* bug#10592: Bug#655118: Please enabled hardened build flags
  2012-01-25  6:40           ` Eli Zaretskii
@ 2012-01-26  3:13             ` Rob Browning
  2012-01-26  3:25               ` Rob Browning
  0 siblings, 1 reply; 9+ messages in thread
From: Rob Browning @ 2012-01-26  3:13 UTC (permalink / raw)
  To: Eli Zaretskii; +Cc: 10592, 655118-forwarded, jmm, 655118

Eli Zaretskii <eliz@gnu.org> writes:

> This is fine with me, but please use ATTRIBUTE_FORMAT_PRINTF (defined
> in src/config.h) instead of a literal __attribute__(...), which is a
> GCC-only thing.

Will do.

Thanks
-- 
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4





^ permalink raw reply	[flat|nested] 9+ messages in thread

* bug#10592: Bug#655118: Please enabled hardened build flags
  2012-01-26  3:13             ` Rob Browning
@ 2012-01-26  3:25               ` Rob Browning
  0 siblings, 0 replies; 9+ messages in thread
From: Rob Browning @ 2012-01-26  3:25 UTC (permalink / raw)
  To: Eli Zaretskii; +Cc: 10592, 655118-forwarded, jmm, 655118

Rob Browning <rlb@defaultvalue.org> writes:

> Eli Zaretskii <eliz@gnu.org> writes:
>
>> This is fine with me, but please use ATTRIBUTE_FORMAT_PRINTF (defined
>> in src/config.h) instead of a literal __attribute__(...), which is a
>> GCC-only thing.
>
> Will do.

OK, that appears to be newer than 23.3, so I'll probably stick with the
gcc-only changes for now (in Debian).

Thanks again.
-- 
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4





^ permalink raw reply	[flat|nested] 9+ messages in thread

* bug#10592: Bug#655118: Please enabled hardened build flags
  2012-01-24  5:05     ` bug#10592: " Rob Browning
  2012-01-24  6:06       ` Eli Zaretskii
@ 2012-01-31  4:22       ` Paul Eggert
  1 sibling, 0 replies; 9+ messages in thread
From: Paul Eggert @ 2012-01-31  4:22 UTC (permalink / raw)
  To: 10592-done; +Cc: 655118, Rob Browning

I am not observing this problem in the Emacs trunk, with either
GCC 4.6.2 or GCC 4.7.0 20120127 (experimental), when I compile
with -Wformat -Wformat-security.  I suspect the problem has
already been fixed in the trunk in a different way, by
rewriting movemail to use prototypes.  I'm therefore taking
the liberty of marking this bug as fixed in the Emacs bug
database; please feel free to reopen it if I've misunderstood
the situation.





^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2012-01-31  4:22 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <20120108171359.6340.17517.reportbug@pisco.westfalen.local>
     [not found] ` <20120108180151.GA919@pisco.westfalen.local>
2012-01-24  5:02   ` bug#10591: Bug#655118: Please enabled hardened build flags Rob Browning
2012-01-24  5:05     ` bug#10592: " Rob Browning
2012-01-24  6:06       ` Eli Zaretskii
2012-01-24 16:17         ` Rob Browning
2012-01-25  2:22         ` Rob Browning
2012-01-25  6:40           ` Eli Zaretskii
2012-01-26  3:13             ` Rob Browning
2012-01-26  3:25               ` Rob Browning
2012-01-31  4:22       ` Paul Eggert

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).