[prev in list] [next in list] [prev in thread] [next in thread]
List: busybox
Subject: Re: error: format not a string literal and no format arguments
From: Mike Frysinger <vapier () gentoo ! org>
Date: 2009-10-25 5:42:37
Message-ID: 200910250142.38314.vapier () gentoo ! org
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
On Saturday 24 October 2009 09:16:23 Cristian Ionescu-Idbohrn wrote:
> On Fri, 23 Oct 2009, Denys Vlasenko wrote:
> > We KNOW bb_path_mtab_file does not contain %format.
> > I do not want to vandalize code just because specific version of gcc
> > is nuts.
>
> Sorry, I was neither involved in the development of that specific gcc
> option nor in gentoo's (and several other distributions) making
> -Wformat-security a default option. Of course, the current behaviour
> could be reverted to not being default with a -Wno-format-security in
> Makefile.flags. Mike Frysinger wrote about it a while ago:
>
> http://patchwork.kernel.org/patch/4730/
>
> Still, do we want to do that?
my comments are geared towards a completely different environment. format
string attacks are rarely an attack vector in the kernel space. however,
busybox is in userspace and constantly parsing data given to it by users, so
my comments about "disable the warning" dont really apply to it.
that doesnt mean i think we should go replacing "%s" in places where a format
string is never present as busybox is more concerned with size and
functionality rather than silencing irrelevant security warnings.
-mike
["signature.asc" (application/pgp-signature)]
_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic