[Openvas-distro] Hardening OpenVAS

Tim Brown timb at openvas.org
Sun Aug 23 03:11:57 CEST 2009 

On Wednesday 19 August 2009 20:43:10 Tim Brown wrote:
> On Wednesday 19 August 2009 20:30:40 Stephan Kleine wrote:
> > On Wed, Aug 19, 2009 at 8:54 PM, Tim Brown<timb at openvas.org> wrote:
> > > On Wednesday 19 August 2009 16:25:52 Stephan Kleine wrote:
> > >> I would love it if you fix your code to comply with those. E.g.
> > >> Mandriva 2009.1 uses "-Werror=format-security" by default and
> > >> currently all builds for it are broken (see
> > >> http://wald.intevation.org/tracker/index.php?func=detail&aid=1051&grou
> > >>p_ id= 29&atid=220 )
> > >
> > > Curious, that builds fine for me on Debian using the same flags...
> > > didn't get a similar error....  In fact, the latest versions of all key
> > > modules build fine.
> >
> > No, they are as broken as they ever were (regarding this issue).
> > Please correct me if I am wrong but Debian uses "-Wformat-security"
> > while Mandriva uses "-Werror=format-security" so Debian just prints a
> > warning and moves on while Mandriva bails, right? (so, imho the Debian
> > approach is kinda half assed)
>
> Yes sorry, I started off commenting based on your initial bug report and
> didn't see the pdf stuff, I then came back to the email and changed some
> bits but clearly the email no longer made sense :(.  You're absolutely
> right the others are broken with -Werror=format-security, but as I noted
> later this appears to be due to a feature of gcc.
>
> > > Looks like Felix's patch (in the bug report) which is in trunk and
> > > current releases does the trick in the first case.
> >
> > That patch is unrelated (it merely replaces g_strdup_printf with
> > g_strdup since that made no sense there anyways).
> >
> > > The later cases you report
> > > are a bug^Wfeature in gcc IMO.  It does not appear that gcc is able to
> > > determine that the format string is generated by GNU gettext and
> > > therefore throws a wobbly.  Not sure how to resolve, so if anyone else
> > > has thoughts I'd be please to hear them. *wanders over to gcc on
> > > FreeNode*
> >
> > Dunno if that also could be a Mandriva gcc bug but I kinda doubt it
> > since it also compiles their whole distro just fine and therefore I
> > consider my warning vs. error theory more likely ;D
> >
> > iow: try to compile on Debian with "-Werror=format-security" instead
> > of "-Wformat-security" and see if that works since just generating a
> > few more warnings in the build log is kinda pointless if you ask me.
>
> That last paragraph of mine was me agreeing with you that -Werror caused
> the compiler to bail, but that having read up on it, that it appears to be
> gcc failing to recognise that the value passed in the format string
> parameter is not a simple string but rather a call out to GNU gettext. 
> Further more it appears that this is a known problem.

Heh, looks like I was over complicating my own thoughts on this bug.  In the 
case you reported, it turns out that the bug could be resolved cheaply by 
redefining the PRINT macro in pdf_output from:

#define PRINT(file, x) { char * s = _2l(x); fprintf(file, s); g_free(s); }

to:

#define PRINT(file, x) { char * s = _2l(x); fprintf(file, "%s", s); 
g_free(s); }

Bug is fixed in trunk...

Tim
-- 
Tim Brown
<mailto:timb at openvas.org>
<http://www.openvas.org/>

More information about the Openvas-distro mailing list