[Bug 1644048] Re: 4.3-7ubuntu1.6 FTBFS on arm64 only with format-security error
Julian Andres Klode
julian.klode at gmail.com
Wed Nov 23 23:30:48 UTC 2016
SRU was rejected. See bug 1644363 for the actual cause of the issue
(hint: ld crashes during static configure).
We might still want to get that fixed in new releases though, but I'm
unsure if this needs updates in stable releases (maybe it improves
security, who knows...).
** Changed in: bash (Ubuntu Trusty)
Status: In Progress => Confirmed
** Summary changed:
- 4.3-7ubuntu1.6 FTBFS on arm64 only with format-security error
+ builtins/help.def: Passes ngettext() result to printf() as format string
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to bash in Ubuntu.
https://bugs.launchpad.net/bugs/1644048
Title:
builtins/help.def: Passes ngettext() result to printf() as format
string
Status in bash package in Ubuntu:
Confirmed
Status in bash source package in Trusty:
Confirmed
Bug description:
[Impact]
Breaks build on arm64 in trusty:
../.././builtins/../.././builtins/help.def:130:7: error: format not a
string literal and no format arguments [-Werror=format-security]
[Test case]
Check it builds
[Regression potential]
Indefinitely low. All we do is add
"%s",
between printf( and ngettext(...
[Other info]
The same code works fine on all other architectures and newer releases, but it seems broken anyway: We are passing the return value of ngettext() to printf() as the format string, which is unsafe.
We should evaluate why that works elsewhere and probably also do the
same fix in other branches, but I'll leave that to someone else to
decide. My intention here is to just get the trusty SRU for bug
1644048 building on all platforms.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1644048/+subscriptions
More information about the foundations-bugs
mailing list