[Openvas-distro] Hardening OpenVAS

Tim Brown timb at openvas.org
Wed Aug 19 21:43:10 CEST 2009 

On Wednesday 19 August 2009 20:30:40 Stephan Kleine wrote:
> On Wed, Aug 19, 2009 at 8:54 PM, Tim Brown<timb at openvas.org> wrote:
> > On Wednesday 19 August 2009 16:25:52 Stephan Kleine wrote:
> >> I would love it if you fix your code to comply with those. E.g.
> >> Mandriva 2009.1 uses "-Werror=format-security" by default and
> >> currently all builds for it are broken (see
> >> http://wald.intevation.org/tracker/index.php?func=detail&aid=1051&group_
> >>id= 29&atid=220 )
> >
> > Curious, that builds fine for me on Debian using the same flags... didn't
> > get a similar error....  In fact, the latest versions of all key modules
> > build fine.
>
> No, they are as broken as they ever were (regarding this issue).
> Please correct me if I am wrong but Debian uses "-Wformat-security"
> while Mandriva uses "-Werror=format-security" so Debian just prints a
> warning and moves on while Mandriva bails, right? (so, imho the Debian
> approach is kinda half assed)

Yes sorry, I started off commenting based on your initial bug report and 
didn't see the pdf stuff, I then came back to the email and changed some bits 
but clearly the email no longer made sense :(.  You're absolutely right the 
others are broken with -Werror=format-security, but as I noted later this 
appears to be due to a feature of gcc.

> > Looks like Felix's patch (in the bug report) which is in trunk and
> > current releases does the trick in the first case.
>
> That patch is unrelated (it merely replaces g_strdup_printf with
> g_strdup since that made no sense there anyways).
>
> > The later cases you report
> > are a bug^Wfeature in gcc IMO.  It does not appear that gcc is able to
> > determine that the format string is generated by GNU gettext and
> > therefore throws a wobbly.  Not sure how to resolve, so if anyone else
> > has thoughts I'd be please to hear them. *wanders over to gcc on
> > FreeNode*
>
> Dunno if that also could be a Mandriva gcc bug but I kinda doubt it
> since it also compiles their whole distro just fine and therefore I
> consider my warning vs. error theory more likely ;D
>
> iow: try to compile on Debian with "-Werror=format-security" instead
> of "-Wformat-security" and see if that works since just generating a
> few more warnings in the build log is kinda pointless if you ask me.

That last paragraph of mine was me agreeing with you that -Werror caused the 
compiler to bail, but that having read up on it, that it appears to be gcc 
failing to recognise that the value passed in the format string parameter is 
not a simple string but rather a call out to GNU gettext.  Further more it 
appears that this is a known problem.

Hope I make more sense this time.
Tim
-- 
Tim Brown
<mailto:timb at openvas.org>
<http://www.openvas.org/>

More information about the Openvas-distro mailing list