Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix compilation with -Werror=format-security #3

Merged
merged 1 commit into from
Aug 24, 2022
Merged

Fix compilation with -Werror=format-security #3

merged 1 commit into from
Aug 24, 2022

Conversation

davidebeatrici
Copy link
Member

@RalfJung Looks like your commit got lost: 097dc7b

@RalfJung @davidebeatrici
Fix compilation with -Werror=format-security
4543a0b 
This patch avoids using fprintf with a string variable, i.e.,
fprintf(f, var). Such usage is discourage because if var can be
attacker-controlled in any way, the application can be
compromised. Therefore, -Werror=format-security complains about such
usage.  Better use fputs, which can't be misused, even though in this
case the printed string is a constant.
@RalfJung
Copy link
Contributor

RalfJung commented Aug 15, 2022
edited
Loading

IIRC I submitted this to a mailing list or so, but upstream has been dead for years so I don't think the patch ever got applied.

EDIT: Ah hm no this file says it got "Committed upstream". And according to my local clone it was indeed in git://git.code.sf.net/p/osspd/code at some point.

@RalfJung
Copy link
Contributor

This seems to not be the only lost commit; 3a9a019 also was in git://git.code.sf.net/p/osspd/code but does not seem to be in this repo.

@davidebeatrici
Copy link
Member Author

Oh, it's probably as I suspected: this was not the master repository at one point and the last commits were not mirrored.

@RalfJung
Copy link
Contributor

RalfJung commented Aug 15, 2022
edited
Loading

So which is the master repo these days? I have two remotes in my checkout:

  • git://git.code.sf.net/p/osspd/code
  • git://fuse.git.sourceforge.net/gitroot/fuse/osspd

https://sourceforge.net/projects/osspd/ contains no indication that it is outdated. (That's what I set as the 'homepage' when I created the Debian package.)

If this repo is official now, then I don't think there is a way that one could know this. Is there a better 'homepage' I could set?

@davidebeatrici
Copy link
Member Author

From https://sourceforge.net/projects/fuse:

git://fuse.git.sourceforge.net/gitroot/fuse/osspd does not seem to be accessible anymore:

fatal: remote error: access denied or repository not exported: /gitroot/fuse/osspd

I assume the master repo is this one and they simply forgot to update the page on SourceForge.

@RalfJung
Copy link
Contributor

Btw, here is the link proving that this was indeed committed upstream.

@davidebeatrici
Copy link
Member Author

Yeah, the repos seem to have diverged right after 4c6161d.

@davidebeatrici
Copy link
Member Author

SourceForge discussion continues in #6.

@davidebeatrici davidebeatrici merged commit 3aa95b5 into OpenMandrivaSoftware:master Aug 24, 2022
@davidebeatrici davidebeatrici deleted the werror-format-security branch August 24, 2022 21:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@davidebeatrici @RalfJung