diff -Nru audit-2.2.2/debian/changelog audit-2.2.2/debian/changelog --- audit-2.2.2/debian/changelog 2013-02-06 15:04:14.000000000 -0800 +++ audit-2.2.2/debian/changelog 2013-02-08 18:36:09.000000000 -0800 @@ -1,3 +1,17 @@ +audit (1:2.2.2-1ubuntu3) raring; urgency=low + + * Fix important build warnings (LP: #1026852) + - debian/patches/fix-asprintf-warnings.patch: Linux asprintf() + implementations do not provide guarantees around the strp variable upon + error so its return code must be checked. + - debian/patches/fix-unused-result-warnings.patch: Be sure to check the + return code of various important functions and create an appropriate + error path. + - debian/patches/fix-discards-const-qualifier-warnings.patch: Fix some + areas where the const qualifier was not being respected. + + -- Tyler Hicks Fri, 08 Feb 2013 18:36:06 -0800 + audit (1:2.2.2-1ubuntu2) raring; urgency=low * Disable auditd network listener with --disable-listener (LP: #1026852) diff -Nru audit-2.2.2/debian/patches/fix-asprintf-warnings.patch audit-2.2.2/debian/patches/fix-asprintf-warnings.patch --- audit-2.2.2/debian/patches/fix-asprintf-warnings.patch 1969-12-31 16:00:00.000000000 -0800 +++ audit-2.2.2/debian/patches/fix-asprintf-warnings.patch 2013-02-08 19:14:32.000000000 -0800 @@ -0,0 +1,1011 @@ +Description: Don't ignore the return value of asprintf() + If an error occurs in asprintf(), the contents of the strp variable are + undefined. asprintf()'s return value must be checked and the parameter passed + into asprintf must be set to NULL upon error. +Author: Tyler Hicks +Fowarded: https://www.redhat.com/archives/linux-audit/2013-February/msg00005.html +Index: audit-2.2.2/auparse/interpret.c +=================================================================== +--- audit-2.2.2.orig/auparse/interpret.c 2013-02-08 18:03:06.783190332 -0800 ++++ audit-2.2.2/auparse/interpret.c 2013-02-08 18:04:28.959193250 -0800 +@@ -292,7 +292,8 @@ + uid = strtoul(val, NULL, base); + if (errno) { + char *out; +- asprintf(&out, "conversion error(%s)", val); ++ if (asprintf(&out, "conversion error(%s)", val) < 0) ++ out = NULL; + return out; + } + +@@ -308,7 +309,8 @@ + gid = strtoul(val, NULL, base); + if (errno) { + char *out; +- asprintf(&out, "conversion error(%s)", val); ++ if (asprintf(&out, "conversion error(%s)", val) < 0) ++ out = NULL; + return out; + } + +@@ -321,14 +323,16 @@ + char *out; + + if (machine < 0) { +- asprintf(&out, "unknown elf type(%s)", val); ++ if (asprintf(&out, "unknown elf type(%s)", val) < 0) ++ out = NULL; + return out; + } + ptr = audit_machine_to_name(machine); + if (ptr) + return strdup(ptr); + else { +- asprintf(&out, "unknown machine type(%d)", machine); ++ if (asprintf(&out, "unknown machine type(%d)", machine) < 0) ++ out = NULL; + return out; + } + } +@@ -355,13 +359,15 @@ + } else if (strcmp(sys, "ipc") == 0) + if ((int)a0 == a0) + func = ipc_i2s(a0); +- if (func) +- asprintf(&out, "%s(%s)", sys, func); +- else ++ if (func) { ++ if (asprintf(&out, "%s(%s)", sys, func) < 0) ++ out = NULL; ++ } else + return strdup(sys); +- } +- else +- asprintf(&out, "unknown syscall(%d)", syscall); ++ } else { ++ if (asprintf(&out, "unknown syscall(%d)", syscall) < 0) ++ out = NULL; ++ } + + return out; + } +@@ -374,12 +380,14 @@ + errno = 0; + ival = strtol(val, NULL, 10); + if (errno) { +- asprintf(&out, "conversion error(%s)", val); ++ if (asprintf(&out, "conversion error(%s)", val) < 0) ++ out = NULL; + return out; + } + + if (ival < 0) { +- asprintf(&out, "%d(%s)", ival, strerror(-ival)); ++ if (asprintf(&out, "%d(%s)", ival, strerror(-ival)) < 0) ++ out = NULL; + return out; + } + return strdup(val); +@@ -428,7 +436,8 @@ + ival = strtol(val, NULL, 10); + if (errno) { + char *out; +- asprintf(&out, "conversion error(%s)", val); ++ if (asprintf(&out, "conversion error(%s)", val) < 0) ++ out = NULL; + return out; + } + +@@ -473,7 +482,8 @@ + errno = 0; + ival = strtoul(val, NULL, base); + if (errno) { +- asprintf(&out, "conversion error(%s)", val); ++ if (asprintf(&out, "conversion error(%s)", val) < 0) ++ out = NULL; + return out; + } + +@@ -498,7 +508,9 @@ + strcat(buf, ",sticky"); + + // and the read, write, execute flags in octal +- asprintf(&out, "%s,%03o", buf, (S_IRWXU|S_IRWXG|S_IRWXO) & ival); ++ if (asprintf(&out, "%s,%03o", buf, ++ (S_IRWXU|S_IRWXG|S_IRWXO) & ival) < 0) ++ out = NULL; + return out; + } + +@@ -510,7 +522,8 @@ + errno = 0; + ival = strtoul(val, NULL, 16); + if (errno) { +- asprintf(&out, "conversion error(%s)", val); ++ if (asprintf(&out, "conversion error(%s)", val) < 0) ++ out = NULL; + return out; + } + +@@ -525,9 +538,13 @@ + + // and the read, write, execute flags in octal + if (buf[0] == 0) +- asprintf(&out, "0%03o", (S_IRWXU|S_IRWXG|S_IRWXO) & ival); ++ if (asprintf(&out, "0%03o", ++ (S_IRWXU|S_IRWXG|S_IRWXO) & ival) < 0) ++ out = NULL; + else +- asprintf(&out, "%s,%03o", buf, (S_IRWXU|S_IRWXG|S_IRWXO)&ival); ++ if (asprintf(&out, "%s,%03o", buf, ++ (S_IRWXU|S_IRWXG|S_IRWXO) & ival) < 0) ++ out = NULL; + return out; + } + +@@ -540,12 +557,14 @@ + errno = 0; + i = strtoul(val, NULL, 16); + if (errno) { +- asprintf(&out, "conversion error(%s)", val); ++ if (asprintf(&out, "conversion error(%s)", val) < 0) ++ out = NULL; + return out; + } + str = fam_i2s(i); + if (str == NULL) { +- asprintf(&out, "unknown family(%s)", val); ++ if (asprintf(&out, "unknown family(%s)", val) < 0) ++ out = NULL; + return out; + } else + return strdup(str); +@@ -560,12 +579,14 @@ + errno = 0; + type = 0xFF & strtoul(val, NULL, 16); + if (errno) { +- asprintf(&out, "conversion error(%s)", val); ++ if (asprintf(&out, "conversion error(%s)", val) < 0) ++ out = NULL; + return out; + } + str = sock_type_i2s(type); + if (str == NULL) { +- asprintf(&out, "unknown type(%s)", val); ++ if (asprintf(&out, "unknown type(%s)", val) < 0) ++ out = NULL; + return out; + } else + return strdup(str); +@@ -580,12 +601,14 @@ + errno = 0; + proto = strtoul(val, NULL, 16); + if (errno) { +- asprintf(&out, "conversion error(%s)", val); ++ if (asprintf(&out, "conversion error(%s)", val) < 0) ++ out = NULL; + return out; + } + p = getprotobynumber(proto); + if (p == NULL) { +- asprintf(&out, "unknown proto(%s)", val); ++ if (asprintf(&out, "unknown proto(%s)", val) < 0) ++ out = NULL; + return out; + } else + return strdup(p->p_name); +@@ -593,7 +616,7 @@ + + static const char *print_sockaddr(const char *val) + { +- int slen; ++ int slen, rc = 0; + const struct sockaddr *saddr; + char name[NI_MAXHOST], serv[NI_MAXSERV]; + const char *host; +@@ -603,7 +626,8 @@ + slen = strlen(val)/2; + host = au_unescape((char *)val); + if (host == NULL) { +- asprintf(&out, "malformed host(%s)", val); ++ if (asprintf(&out, "malformed host(%s)", val) < 0) ++ out = NULL; + return out; + } + saddr = (struct sockaddr *)host; +@@ -611,7 +635,8 @@ + + str = fam_i2s(saddr->sa_family); + if (str == NULL) { +- asprintf(&out, "unknown family(%d)", saddr->sa_family); ++ if (asprintf(&out, "unknown family(%d)", saddr->sa_family) < 0) ++ out = NULL; + return out; + } + +@@ -622,94 +647,96 @@ + const struct sockaddr_un *un = + (struct sockaddr_un *)saddr; + if (un->sun_path[0]) +- asprintf(&out, "%s %s", str, +- un->sun_path); ++ rc = asprintf(&out, "%s %s", str, ++ un->sun_path); + else // abstract name +- asprintf(&out, "%s %.108s", str, +- &un->sun_path[1]); ++ rc = asprintf(&out, "%s %.108s", str, ++ &un->sun_path[1]); + } + break; + case AF_INET: + if (slen < sizeof(struct sockaddr_in)) { +- asprintf(&out, "%s sockaddr len too short", +- str); +- free((char *)host); +- return out; ++ rc = asprintf(&out, "%s sockaddr len too short", ++ str); ++ break; + } + slen = sizeof(struct sockaddr_in); + if (getnameinfo(saddr, slen, name, NI_MAXHOST, serv, + NI_MAXSERV, NI_NUMERICHOST | + NI_NUMERICSERV) == 0 ) { +- asprintf(&out, "%s host:%s serv:%s", str, +- name, serv); ++ rc = asprintf(&out, "%s host:%s serv:%s", str, ++ name, serv); + } else +- asprintf(&out, "%s (error resolving addr)", +- str); ++ rc = asprintf(&out, "%s (error resolving addr)", ++ str); + break; + case AF_AX25: + { + const struct sockaddr_ax25 *x = + (struct sockaddr_ax25 *)saddr; +- asprintf(&out, "%s call:%c%c%c%c%c%c%c", str, +- x->sax25_call.ax25_call[0], +- x->sax25_call.ax25_call[1], +- x->sax25_call.ax25_call[2], +- x->sax25_call.ax25_call[3], +- x->sax25_call.ax25_call[4], +- x->sax25_call.ax25_call[5], +- x->sax25_call.ax25_call[6] +- ); ++ rc = asprintf(&out, "%s call:%c%c%c%c%c%c%c", ++ str, ++ x->sax25_call.ax25_call[0], ++ x->sax25_call.ax25_call[1], ++ x->sax25_call.ax25_call[2], ++ x->sax25_call.ax25_call[3], ++ x->sax25_call.ax25_call[4], ++ x->sax25_call.ax25_call[5], ++ x->sax25_call.ax25_call[6]); + } + break; + case AF_IPX: + { + const struct sockaddr_ipx *ip = + (struct sockaddr_ipx *)saddr; +- asprintf(&out, "%s port:%d net:%u", str, +- ip->sipx_port, ip->sipx_network); ++ rc = asprintf(&out, "%s port:%d net:%u", str, ++ ip->sipx_port, ip->sipx_network); + } + break; + case AF_ATMPVC: + { + const struct sockaddr_atmpvc* at = + (struct sockaddr_atmpvc *)saddr; +- asprintf(&out, "%s int:%d", str, +- at->sap_addr.itf); ++ rc = asprintf(&out, "%s int:%d", str, ++ at->sap_addr.itf); + } + break; + case AF_X25: + { + const struct sockaddr_x25* x = + (struct sockaddr_x25 *)saddr; +- asprintf(&out, "%s addr:%.15s", str, +- x->sx25_addr.x25_addr); ++ rc = asprintf(&out, "%s addr:%.15s", str, ++ x->sx25_addr.x25_addr); + } + break; + case AF_INET6: + if (slen < sizeof(struct sockaddr_in6)) { +- asprintf(&out, "%s sockaddr6 len too short", +- str); +- free((char *)host); +- return out; ++ rc = asprintf(&out, ++ "%s sockaddr6 len too short", ++ str); ++ break; + } + slen = sizeof(struct sockaddr_in6); + if (getnameinfo(saddr, slen, name, NI_MAXHOST, serv, + NI_MAXSERV, NI_NUMERICHOST | + NI_NUMERICSERV) == 0 ) { +- asprintf(&out, "%s host:%s serv:%s", str, +- name, serv); ++ rc = asprintf(&out, "%s host:%s serv:%s", str, ++ name, serv); + } else +- asprintf(&out, "%s (error resolving addr)", +- str); ++ rc = asprintf(&out, "%s (error resolving addr)", ++ str); + break; + case AF_NETLINK: + { + const struct sockaddr_nl *n = + (struct sockaddr_nl *)saddr; +- asprintf(&out, "%s pid:%u", str, n->nl_pid); ++ rc = asprintf(&out, "%s pid:%u", str, ++ n->nl_pid); + } + break; + } ++ if (rc < 0) ++ out = NULL; + free((char *)host); + return out; + } +@@ -723,11 +750,13 @@ + errno = 0; + flags = strtoul(val, NULL, 16); + if (errno) { +- asprintf(&out, "conversion error(%s)", val); ++ if (asprintf(&out, "conversion error(%s)", val) < 0) ++ out = NULL; + return out; + } + if (flags == 0) { +- asprintf(&out, "none"); ++ if (asprintf(&out, "none") < 0) ++ out = NULL; + return out; + } + buf[0] = 0; +@@ -755,7 +784,8 @@ + ival = strtol(val, NULL, 10); + if (errno) { + char *out; +- asprintf(&out, "conversion error(%s)", val); ++ if (asprintf(&out, "conversion error(%s)", val) < 0) ++ out = NULL; + return out; + } + +@@ -774,14 +804,16 @@ + errno = 0; + cap = strtoul(val, NULL, 10); + if (errno) { +- asprintf(&out, "conversion error(%s)", val); ++ if (asprintf(&out, "conversion error(%s)", val) < 0) ++ out = NULL; + return out; + } + + s = cap_i2s(cap); + if (s != NULL) + return strdup(s); +- asprintf(&out, "unknown capability(%s)", val); ++ if (asprintf(&out, "unknown capability(%s)", val) < 0) ++ out = NULL; + return out; + } + +@@ -797,7 +829,8 @@ + temp = strtoull(val, NULL, 16); + if (errno) { + char *out; +- asprintf(&out, "conversion error(%s)", val); ++ if (asprintf(&out, "conversion error(%s)", val) < 0) ++ out = NULL; + return out; + } + +@@ -829,7 +862,8 @@ + res = strtoul(val, NULL, 10); + if (errno) { + char *out; +- asprintf(&out, "conversion error(%s)", val); ++ if (asprintf(&out, "conversion error(%s)", val) < 0) ++ out = NULL; + return out; + } + +@@ -848,7 +882,8 @@ + errno = 0; + flags = strtoul(val, NULL, 16); + if (errno) { +- asprintf(&out, "conversion error(%s)", val); ++ if (asprintf(&out, "conversion error(%s)", val) < 0) ++ out = NULL; + return out; + } + +@@ -883,7 +918,8 @@ + errno = 0; + flags = strtoul(val, NULL, 16); + if (errno) { +- asprintf(&out, "conversion error(%s)", val); ++ if (asprintf(&out, "conversion error(%s)", val) < 0) ++ out = NULL; + return out; + } + +@@ -915,14 +951,16 @@ + errno = 0; + cmd = strtoul(val, NULL, 16); + if (errno) { +- asprintf(&out, "conversion error(%s)", val); ++ if (asprintf(&out, "conversion error(%s)", val) < 0) ++ out = NULL; + return out; + } + + s = fcntl_i2s(cmd); + if (s != NULL) + return strdup(s); +- asprintf(&out, "unknown fcntl command(%d)", cmd); ++ if (asprintf(&out, "unknown fcntl command(%d)", cmd) < 0) ++ out = NULL; + return out; + } + +@@ -935,14 +973,16 @@ + errno = 0; + cmd = strtoul(val, NULL, 16); + if (errno) { +- asprintf(&out, "conversion error(%s)", val); ++ if (asprintf(&out, "conversion error(%s)", val) < 0) ++ out = NULL; + return out; + } + + s = epoll_ctl_i2s(cmd); + if (s != NULL) + return strdup(s); +- asprintf(&out, "unknown epoll_ctl operation (%d)", cmd); ++ if (asprintf(&out, "unknown epoll_ctl operation (%d)", cmd) < 0) ++ out = NULL; + return out; + } + +@@ -954,7 +994,8 @@ + errno = 0; + i = strtoul(val, NULL, 16); + if (errno) { +- asprintf(&out, "conversion error(%s)", val); ++ if (asprintf(&out, "conversion error(%s)", val) < 0) ++ out = NULL; + return out; + } + else if (i < 7) { +@@ -962,7 +1003,8 @@ + if (s != NULL) + return strdup(s); + } +- asprintf(&out, "unknown clk_id (%s)", val); ++ if (asprintf(&out, "unknown clk_id (%s)", val) < 0) ++ out = NULL; + return out; + } + +@@ -976,7 +1018,8 @@ + errno = 0; + prot = strtoul(val, NULL, 16); + if (errno) { +- asprintf(&out, "conversion error(%s)", val); ++ if (asprintf(&out, "conversion error(%s)", val) < 0) ++ out = NULL; + return out; + } + buf[0] = 0; +@@ -1015,7 +1058,8 @@ + errno = 0; + maps = strtoul(val, NULL, 16); + if (errno) { +- asprintf(&out, "conversion error(%s)", val); ++ if (asprintf(&out, "conversion error(%s)", val) < 0) ++ out = NULL; + return out; + } + buf[0] = 0; +@@ -1049,7 +1093,8 @@ + errno = 0; + pers = strtoul(val, NULL, 16); + if (errno) { +- asprintf(&out, "conversion error(%s)", val); ++ if (asprintf(&out, "conversion error(%s)", val) < 0) ++ out = NULL; + return out; + } + +@@ -1057,12 +1102,14 @@ + s = person_i2s(pers2); + if (s != NULL) { + if (pers & ADDR_NO_RANDOMIZE) { +- asprintf(&out, "%s|~ADDR_NO_RANDOMIZE", s); ++ if (asprintf(&out, "%s|~ADDR_NO_RANDOMIZE", s) < 0) ++ out = NULL; + return out; + } else + return strdup(s); + } +- asprintf(&out, "unknown personality (%s)", val); ++ if (asprintf(&out, "unknown personality (%s)", val) < 0) ++ out = NULL; + return out; + } + +@@ -1075,14 +1122,16 @@ + errno = 0; + trace = strtoul(val, NULL, 16); + if (errno) { +- asprintf(&out, "conversion error(%s)", val); ++ if (asprintf(&out, "conversion error(%s)", val) < 0) ++ out = NULL; + return out; + } + + s = ptrace_i2s(trace); + if (s != NULL) + return strdup(s); +- asprintf(&out, "unknown ptrace (%s)", val); ++ if (asprintf(&out, "unknown ptrace (%s)", val) < 0) ++ out = NULL; + return out; + } + +@@ -1096,7 +1145,8 @@ + errno = 0; + mounts = strtoul(val, NULL, 16); + if (errno) { +- asprintf(&out, "conversion error(%s)", val); ++ if (asprintf(&out, "conversion error(%s)", val) < 0) ++ out = NULL; + return out; + } + buf[0] = 0; +@@ -1124,7 +1174,8 @@ + errno = 0; + i = strtoul(val, NULL, 16); + if (errno) { +- asprintf(&out, "conversion error(%s)", val); ++ if (asprintf(&out, "conversion error(%s)", val) < 0) ++ out = NULL; + return out; + } + else if (i < 17) { +@@ -1132,7 +1183,8 @@ + if (s != NULL) + return strdup(s); + } +- asprintf(&out, "unknown rlimit (%s)", val); ++ if (asprintf(&out, "unknown rlimit (%s)", val) < 0) ++ out = NULL; + return out; + } + +@@ -1146,7 +1198,8 @@ + errno = 0; + rec = strtoul(val, NULL, 16); + if (errno) { +- asprintf(&out, "conversion error(%s)", val); ++ if (asprintf(&out, "conversion error(%s)", val) < 0) ++ out = NULL; + return out; + } + buf[0] = 0; +@@ -1256,7 +1309,9 @@ + errno = 0; + ival = strtoul(val, NULL, 16); + if (errno) { +- asprintf(&out, "conversion error(%s)", val); ++ if (asprintf(&out, "conversion error(%s)", ++ val) < 0) ++ out = NULL; + return out; + } + switch (r->a1) +@@ -1328,7 +1383,8 @@ + errno = 0; + i = strtoul(val, NULL, base); + if (errno) { +- asprintf(&out, "conversion error(%s)", val); ++ if (asprintf(&out, "conversion error(%s)", val) < 0) ++ out = NULL; + return out; + } + else if (i < 32) { +@@ -1336,7 +1392,8 @@ + if (s != NULL) + return strdup(s); + } +- asprintf(&out, "unknown signal (%s)", val); ++ if (asprintf(&out, "unknown signal (%s)", val) < 0) ++ out = NULL; + return out; + } + +@@ -1349,14 +1406,16 @@ + errno = 0; + proto = strtoul(val, NULL, 10); + if (errno) { +- asprintf(&out, "conversion error(%s)", val); ++ if (asprintf(&out, "conversion error(%s)", val) < 0) ++ out = NULL; + return out; + } + + s = nfproto_i2s(proto); + if (s != NULL) + return strdup(s); +- asprintf(&out, "unknown netfilter protocol (%s)", val); ++ if (asprintf(&out, "unknown netfilter protocol (%s)", val) < 0) ++ out = NULL; + return out; + } + +@@ -1369,14 +1428,16 @@ + errno = 0; + icmptype = strtoul(val, NULL, 10); + if (errno) { +- asprintf(&out, "conversion error(%s)", val); ++ if (asprintf(&out, "conversion error(%s)", val) < 0) ++ out = NULL; + return out; + } + + s = icmptype_i2s(icmptype); + if (s != NULL) + return strdup(s); +- asprintf(&out, "unknown icmp type (%s)", val); ++ if (asprintf(&out, "unknown icmp type (%s)", val) < 0) ++ out = NULL; + return out; + } + +@@ -1388,7 +1449,8 @@ + errno = 0; + i = strtoul(val, NULL, 10); + if (errno) +- asprintf(&out, "conversion error(%s)", val); ++ if (asprintf(&out, "conversion error(%s)", val) < 0) ++ out = NULL; + else { + struct protoent *p = getprotobynumber(i); + if (p) +@@ -1413,7 +1475,8 @@ + errno = 0; + i = strtoul(val, NULL, 10); + if (errno) +- asprintf(&out, "conversion error(%s)", val); ++ if (asprintf(&out, "conversion error(%s)", val) < 0) ++ out = NULL; + else + out = strdup(audit_flag_to_name(i)); + return out; +@@ -1567,13 +1630,15 @@ + errno = 0; + code = strtoul(val, NULL, 16); + if (errno) { +- asprintf(&out, "conversion error(%s)", val); ++ if (asprintf(&out, "conversion error(%s)", val) < 0) ++ out = NULL; + return out; + } + s = seccomp_i2s(code & SECCOMP_RET_ACTION); + if (s != NULL) + return strdup(s); +- asprintf(&out, "unknown seccomp code (%s)", val); ++ if (asprintf(&out, "unknown seccomp code (%s)", val) < 0) ++ out = NULL; + return out; + } + +Index: audit-2.2.2/lib/audit_logging.c +=================================================================== +--- audit-2.2.2.orig/lib/audit_logging.c 2013-02-08 18:03:06.783190332 -0800 ++++ audit-2.2.2/lib/audit_logging.c 2013-02-08 18:04:28.963193251 -0800 +@@ -133,12 +133,14 @@ + char *tmp = malloc(2*vlen + 1); + if (tmp) { + audit_encode_value(tmp, value, vlen); +- asprintf(&str, "%s=%s", name, tmp); ++ if (asprintf(&str, "%s=%s", name, tmp) < 0) ++ str = NULL; + free(tmp); + } else + str = NULL; + } else +- asprintf(&str, "%s=\"%s\"", name, value ? value : "?"); ++ if (asprintf(&str, "%s=\"%s\"", name, value ? value : "?") < 0) ++ str = NULL; + return str; + } + +Index: audit-2.2.2/auparse/expression.c +=================================================================== +--- audit-2.2.2.orig/auparse/expression.c 2013-02-08 18:03:06.783190332 -0800 ++++ audit-2.2.2/auparse/expression.c 2013-02-08 18:04:28.963193251 -0800 +@@ -191,9 +191,10 @@ + if (*p->src == '\\') { + p->src++; + if (*p->src != '\\' && *p->src != delimiter) { +- *p->error = NULL; +- asprintf(p->error, "Unknown escape " +- "sequence ``\\%c''", *p->src); ++ if (asprintf(p->error, "Unknown escape " ++ "sequence ``\\%c''", ++ *p->src) < 0) ++ *p->error = NULL; + free(buf); + return -1; + } +@@ -381,17 +382,17 @@ + if (sscanf(p->token_value, "ts:%jd.%u", &sec, + &dest->v.p.value.timestamp.milli) + != 2) { +- *p->error = NULL; +- asprintf(p->error, "Invalid timestamp value `%.*s'", +- p->token_len, p->token_start); ++ if (asprintf(p->error, "Invalid timestamp value `%.*s'", ++ p->token_len, p->token_start) < 0) ++ *p->error = NULL; + return -1; + } + /* FIXME: validate milli */ + dest->v.p.value.timestamp.sec = sec; + if (dest->v.p.value.timestamp.sec != sec) { +- *p->error = NULL; +- asprintf(p->error, "Timestamp overflow in `%.*s'", p->token_len, +- p->token_start); ++ if (asprintf(p->error, "Timestamp overflow in `%.*s'", ++ p->token_len, p->token_start) < 0) ++ *p->error = NULL; + return -1; + } + dest->precomputed_value = 1; +@@ -410,9 +411,9 @@ + assert(p->token == T_STRING); + type = audit_name_to_msg_type(p->token_value); + if (type < 0) { +- *p->error = NULL; +- asprintf(p->error, "Invalid record type `%.*s'", p->token_len, +- p->token_start); ++ if (asprintf(p->error, "Invalid record type `%.*s'", ++ p->token_len, p->token_start) < 0) ++ *p->error = NULL; + return -1; + } + dest->v.p.value.int_value = type; +@@ -452,9 +453,9 @@ + if (lex(p) != 0) + goto err_res; + if (p->token != T_STRING && p->token != T_REGEXP) { +- *p->error = NULL; +- asprintf(p->error, "Regexp expected, got `%.*s'", p->token_len, +- p->token_start); ++ if (asprintf(p->error, "Regexp expected, got `%.*s'", ++ p->token_len, p->token_start) < 0) ++ *p->error = NULL; + goto err_res; + } + res->v.regexp = parser_malloc(p, sizeof(*res->v.regexp)); +@@ -470,8 +471,8 @@ + if (err_msg == NULL) + goto err_res_regexp; + regerror(err, res->v.regexp, err_msg, err_size); +- *p->error = NULL; +- asprintf(p->error, "Invalid regexp: %s", err_msg); ++ if (asprintf(p->error, "Invalid regexp: %s", err_msg) < 0) ++ *p->error = NULL; + free(err_msg); + goto err_res_regexp; + } +@@ -514,9 +515,10 @@ + res->virtual_field = 1; + if (parse_escaped_field_name(&res->v.p.field.id, p->token_value) + != 0) { +- *p->error = NULL; +- asprintf(p->error, "Unknown escaped field name `%.*s'", +- p->token_len, p->token_start); ++ if (asprintf(p->error, ++ "Unknown escaped field name `%.*s'", ++ p->token_len, p->token_start) < 0) ++ *p->error = NULL; + goto err_res; + } + } else { +@@ -534,9 +536,9 @@ + if (lex(p) != 0) + goto err_field; + if (p->token != T_STRING) { +- *p->error = NULL; +- asprintf(p->error, "Value expected, got `%.*s'", +- p->token_len, p->token_start); ++ if (asprintf(p->error, "Value expected, got `%.*s'", ++ p->token_len, p->token_start) < 0) ++ *p->error = NULL; + goto err_field; + } + res->precomputed_value = 0; +@@ -554,16 +556,16 @@ + if (lex(p) != 0) + goto err_field; + if (p->token != T_STRING) { +- *p->error = NULL; +- asprintf(p->error, "Value expected, got `%.*s'", +- p->token_len, p->token_start); ++ if (asprintf(p->error, "Value expected, got `%.*s'", ++ p->token_len, p->token_start) < 0) ++ *p->error = NULL; + goto err_field; + } + if (res->virtual_field == 0) { +- *p->error = NULL; +- asprintf (p->error, "Field `%s' does not support " +- "value comparison", +- res->v.p.field.name); ++ if (asprintf(p->error, "Field `%s' does not support " ++ "value comparison", ++ res->v.p.field.name) < 0) ++ *p->error = NULL; + goto err_field; + } else { + if (parse_virtual_field_value(res, p) != 0) +@@ -576,9 +578,9 @@ + break; + + default: +- *p->error = NULL; +- asprintf(p->error, "Operator expected, got `%.*s'", +- p->token_len, p->token_start); ++ if (asprintf(p->error, "Operator expected, got `%.*s'", ++ p->token_len, p->token_start) < 0) ++ *p->error = NULL; + goto err_field; + } + return res; +@@ -624,9 +626,10 @@ + if (e == NULL) + return NULL; + if (p->token != T_RIGHT_PAREN) { +- *p->error = NULL; +- asprintf(p->error, "Right paren expected, got `%.*s'", +- p->token_len, p->token_start); ++ if (asprintf(p->error, ++ "Right paren expected, got `%.*s'", ++ p->token_len, p->token_start) < 0) ++ *p->error = NULL; + goto err_e; + } + if (lex(p) != 0) +@@ -638,9 +641,9 @@ + return parse_comparison(p); + + default: +- *p->error = NULL; +- asprintf(p->error, "Unexpected token `%.*s'", p->token_len, +- p->token_start); ++ if (asprintf(p->error, "Unexpected token `%.*s'", p->token_len, ++ p->token_start) < 0) ++ *p->error = NULL; + return NULL; + } + err_e: +@@ -744,9 +747,9 @@ + res = parse_or(&p); + if (res != NULL && p.token != T_EOF) { + expr_free(res); +- *error = NULL; +- asprintf(error, "Unexpected trailing token `%.*s'", +- p.token_len, p.token_start); ++ if (asprintf(error, "Unexpected trailing token `%.*s'", ++ p.token_len, p.token_start) < 0) ++ *error = NULL; + goto err; + } + free(p.token_value); +Index: audit-2.2.2/src/auditctl.c +=================================================================== +--- audit-2.2.2.orig/src/auditctl.c 2013-02-08 18:03:06.783190332 -0800 ++++ audit-2.2.2/src/auditctl.c 2013-02-08 18:04:28.967193251 -0800 +@@ -930,16 +930,16 @@ + flags = del & AUDIT_FILTER_MASK; + + /* Build the command */ +- asprintf(&cmd, "key=%s", key); +- if (cmd) { ++ if (asprintf(&cmd, "key=%s", key) < 0) { ++ cmd = NULL; ++ fprintf(stderr, "Out of memory adding key\n"); ++ retval = -1; ++ } else { + /* Add this to the rule */ + int ret = audit_rule_fieldpair_data(&rule_new, cmd, flags); + if (ret < 0) + retval = -1; + free(cmd); +- } else { +- fprintf(stderr, "Out of memory adding key\n"); +- retval = -1; + } + } + if (retval == -1 && errno == ECONNREFUSED) +@@ -1351,8 +1351,9 @@ + int field = rep->ruledata->fields[i] & ~AUDIT_OPERATORS; + if (field == AUDIT_FILTERKEY) { + char *keyptr; +- asprintf(&keyptr, "%.*s", rep->ruledata->values[i], +- &rep->ruledata->buf[boffset]); ++ if (asprintf(&keyptr, "%.*s", rep->ruledata->values[i], ++ &rep->ruledata->buf[boffset]) < 0) ++ keyptr = NULL; + if (strstr(keyptr, key)) { + free(keyptr); + return 1; +@@ -1467,9 +1468,10 @@ + rep->ruledata->values[i]; + } else if (field == AUDIT_FILTERKEY) { + char *rkey, *ptr; +- asprintf(&rkey, "%.*s", +- rep->ruledata->values[i], +- &rep->ruledata->buf[boffset]); ++ if (asprintf(&rkey, "%.*s", ++ rep->ruledata->values[i], ++ &rep->ruledata->buf[boffset]) < 0) ++ rkey = NULL; + boffset += + rep->ruledata->values[i]; + ptr = strtok(rkey, key_sep); +Index: audit-2.2.2/auparse/ellist.c +=================================================================== +--- audit-2.2.2.orig/auparse/ellist.c 2013-02-08 18:03:06.783190332 -0800 ++++ audit-2.2.2/auparse/ellist.c 2013-02-08 18:04:28.967193251 -0800 +@@ -91,7 +91,8 @@ + } + p++; + } +- asprintf(&name, "\"%s\"", tmp); ++ if (asprintf(&name, "\"%s\"", tmp) < 0) ++ name = NULL; + return name; + } + +Index: audit-2.2.2/audisp/audispd.c +=================================================================== +--- audit-2.2.2.orig/audisp/audispd.c 2013-02-08 18:04:31.675193348 -0800 ++++ audit-2.2.2/audisp/audispd.c 2013-02-08 18:06:47.647198175 -0800 +@@ -613,6 +613,7 @@ + len = asprintf(&v, "type=%s msg=%.*s\n", + type, e->hdr.size, e->data); + if (len <= 0) { ++ v = NULL; + free(e); /* Either corrupted event or no memory */ + continue; + } +Index: audit-2.2.2/audisp/plugins/prelude/audisp-prelude.c +=================================================================== +--- audit-2.2.2.orig/audisp/plugins/prelude/audisp-prelude.c 2012-12-12 05:52:00.000000000 -0800 ++++ audit-2.2.2/audisp/plugins/prelude/audisp-prelude.c 2013-02-08 18:08:30.367201823 -0800 +@@ -967,7 +967,9 @@ + int len2; + len2 = asprintf(&ptr, "%s=%s ", var, + auparse_interpret_field(au)); +- if (len2 > 0 && (len2 + len) < sizeof(msg)) { ++ if (len2 < 0) { ++ ptr = NULL; ++ } else if (len2 > 0 && (len2 + len) < sizeof(msg)) { + strcat(msg, ptr); + len += len2; + } diff -Nru audit-2.2.2/debian/patches/fix-discards-const-qualifier-warnings.patch audit-2.2.2/debian/patches/fix-discards-const-qualifier-warnings.patch --- audit-2.2.2/debian/patches/fix-discards-const-qualifier-warnings.patch 1969-12-31 16:00:00.000000000 -0800 +++ audit-2.2.2/debian/patches/fix-discards-const-qualifier-warnings.patch 2013-02-08 19:15:13.000000000 -0800 @@ -0,0 +1,93 @@ +Description: Fix discards 'const' qualifier from pointer target type warnings + The event_note_list pointer is reassigned and its members are also reassigned. + It should not be declared with the const qualifier. + . + The ptr variable, in unescape(), cannot be used to modify a string since it is + initialized to the const char *buf input parameter. Rather than modifying buf, + we can use ptr as a placeholder and use strndup() to allocate str. Later in + the function a new, non-const pointer is used to modify str. These changes + allow unescape() to still take a const char * as its input parameter. +Author: Tyler Hicks +Fowarded: https://www.redhat.com/archives/linux-audit/2013-February/msg00006.html +Index: audit-2.2.2/src/aureport-options.c +=================================================================== +--- audit-2.2.2.orig/src/aureport-options.c 2013-02-08 18:26:37.901175929 -0800 ++++ audit-2.2.2/src/aureport-options.c 2013-02-08 18:27:30.989177820 -0800 +@@ -42,7 +42,7 @@ + + /* These are for compatibility with parser */ + unsigned int event_id = -1; +-const slist *event_node_list = NULL; ++slist *event_node_list = NULL; + const char *event_key = NULL; + const char *event_filename = NULL; + const char *event_exe = NULL; +Index: audit-2.2.2/src/ausearch-options.c +=================================================================== +--- audit-2.2.2.orig/src/ausearch-options.c 2013-02-08 18:26:37.901175929 -0800 ++++ audit-2.2.2/src/ausearch-options.c 2013-02-08 18:27:30.989177820 -0800 +@@ -68,7 +68,7 @@ + report_t report_format = RPT_DEFAULT; + ilist *event_type; + +-const slist *event_node_list = NULL; ++slist *event_node_list = NULL; + + struct nv_pair { + int value; +Index: audit-2.2.2/src/ausearch-common.h +=================================================================== +--- audit-2.2.2.orig/src/ausearch-common.h 2013-02-08 18:26:37.901175929 -0800 ++++ audit-2.2.2/src/ausearch-common.h 2013-02-08 18:27:30.993177817 -0800 +@@ -35,7 +35,7 @@ + extern pid_t event_pid; + extern int event_exact_match; + extern uid_t event_uid, event_euid, event_loginuid; +-const slist *event_node_list; ++slist *event_node_list; + extern const char *event_comm; + extern const char *event_filename; + extern const char *event_hostname; +Index: audit-2.2.2/src/ausearch-lookup.c +=================================================================== +--- audit-2.2.2.orig/src/ausearch-lookup.c 2013-02-08 18:27:23.353177543 -0800 ++++ audit-2.2.2/src/ausearch-lookup.c 2013-02-08 18:32:08.061187656 -0800 +@@ -318,7 +318,8 @@ + char *unescape(const char *buf) + { + int len, i; +- char saved, *ptr = buf, *str; ++ char *str, *strptr; ++ const char *ptr = buf; + + /* Find the end of the name */ + if (*ptr == '(') { +@@ -331,10 +332,7 @@ + while (isxdigit(*ptr)) + ptr++; + } +- saved = *ptr; +- *ptr = 0; +- str = strdup(buf); +- *ptr = saved; ++ str = strndup(buf, ptr - buf); + + if (*buf == '(') + return str; +@@ -347,12 +345,12 @@ + free(str); + return NULL; + } +- ptr = str; ++ strptr = str; + for (i=0; i +Fowarded: https://www.redhat.com/archives/linux-audit/2013-February/msg00004.html +Index: audit-2.2.2/src/auditd.c +=================================================================== +--- audit-2.2.2.orig/src/auditd.c 2013-02-08 18:16:17.643218420 -0800 ++++ audit-2.2.2/src/auditd.c 2013-02-08 18:20:21.507227078 -0800 +@@ -240,7 +240,7 @@ + + static int write_pid_file(void) + { +- int pidfd, len; ++ int pidfd, len, rc; + char val[16]; + + len = snprintf(val, sizeof(val), "%u\n", getpid()); +@@ -256,29 +256,38 @@ + pidfile = 0; + return 1; + } +- (void)write(pidfd, val, (unsigned int)len); ++ if (write(pidfd, val, (unsigned int)len) != len) { ++ audit_msg(LOG_ERR, "Unable to write pidfile (%s)", ++ strerror(errno)); ++ close(pidfd); ++ pidfile = 0; ++ return 1; ++ } + close(pidfd); + return 0; + } + + static void avoid_oom_killer(void) + { +- int oomfd; ++ int oomfd, len, rc; ++ char *score = NULL; + + /* New kernels use different technique */ +- oomfd = open("/proc/self/oom_score_adj", O_NOFOLLOW | O_WRONLY); +- if (oomfd >= 0) { +- (void)write(oomfd, "-1000", 5); +- close(oomfd); +- return; +- } +- oomfd = open("/proc/self/oom_adj", O_NOFOLLOW | O_WRONLY); +- if (oomfd >= 0) { +- (void)write(oomfd, "-17", 3); +- close(oomfd); +- return; +- } +- // Old style kernel...perform another action here ++ if ((oomfd = open("/proc/self/oom_score_adj", ++ O_NOFOLLOW | O_WRONLY)) >= 0) { ++ score = "-1000"; ++ } else if ((oomfd = open("/proc/self/oom_adj", ++ O_NOFOLLOW | O_WRONLY)) >= 0) { ++ score = "-17"; ++ } else ++ audit_msg(LOG_NOTICE, "Cannot open out of memory adjuster"); ++ ++ len = strlen(score); ++ rc = write(oomfd, score, len); ++ if (rc != len) ++ audit_msg(LOG_NOTICE, "Unable to adjust out of memory score"); ++ ++ close(oomfd); + } + + /* +@@ -328,7 +337,12 @@ + close(fd); + + /* Change to '/' */ +- chdir("/"); ++ rc = chdir("/"); ++ if (rc < 0) { ++ audit_msg(LOG_ERR, ++ "Cannot change working directory to /"); ++ return -1; ++ } + + /* Become session/process group leader */ + setsid(); +@@ -540,8 +554,8 @@ + + if (config.priority_boost != 0) { + errno = 0; +- (void) nice((int)-config.priority_boost); +- if (errno) { ++ rc = nice((int)-config.priority_boost); ++ if (rc == -1 && errno) { + audit_msg(LOG_ERR, "Cannot change priority (%s)", + strerror(errno)); + return 1; +Index: audit-2.2.2/src/auditd-event.c +=================================================================== +--- audit-2.2.2.orig/src/auditd-event.c 2013-02-08 18:16:17.643218420 -0800 ++++ audit-2.2.2/src/auditd-event.c 2013-02-08 18:20:21.511227076 -0800 +@@ -708,10 +708,18 @@ + if (data->config->num_logs < 2) + return; + +- /* Close audit file */ +- fchmod(data->log_fd, +- data->config->log_group ? S_IRUSR|S_IRGRP : S_IRUSR); +- fchown(data->log_fd, 0, data->config->log_group); ++ /* Close audit file. fchmod and fchown errors are not fatal because we ++ * already adjusted log file permissions and ownership when opening the ++ * log file. */ ++ if (fchmod(data->log_fd, data->config->log_group ? S_IRUSR|S_IRGRP : ++ S_IRUSR) < 0) { ++ audit_msg(LOG_NOTICE, "Couldn't change permissions while " ++ "rotating log file (%s)", strerror(errno)); ++ } ++ if (fchown(data->log_fd, 0, data->config->log_group) < 0) { ++ audit_msg(LOG_NOTICE, "Couldn't change ownership while " ++ "rotating log file (%s)", strerror(errno)); ++ } + fclose(data->log_file); + + /* Rotate */ +@@ -924,9 +932,20 @@ + return 1; + } + } +- fchmod(lfd, data->config->log_group ? S_IRUSR|S_IWUSR|S_IRGRP : +- S_IRUSR|S_IWUSR); +- fchown(lfd, 0, data->config->log_group); ++ if (fchmod(lfd, data->config->log_group ? S_IRUSR|S_IWUSR|S_IRGRP : ++ S_IRUSR|S_IWUSR) < 0) { ++ audit_msg(LOG_ERR, ++ "Couldn't change permissions of log file (%s)", ++ strerror(errno)); ++ close(lfd); ++ return 1; ++ } ++ if (fchown(lfd, 0, data->config->log_group) < 0) { ++ audit_msg(LOG_ERR, "Couldn't change ownership of log file (%s)", ++ strerror(errno)); ++ close(lfd); ++ return 1; ++ } + + data->log_fd = lfd; + data->log_file = fdopen(lfd, "a"); +@@ -1089,8 +1108,18 @@ + + // priority boost + if (oconf->priority_boost != nconf->priority_boost) { ++ int rc; ++ + oconf->priority_boost = nconf->priority_boost; +- nice(-oconf->priority_boost); ++ errno = 0; ++ rc = nice(-oconf->priority_boost); ++ if (rc == -1 && errno) { ++ int saved_errno = errno; ++ audit_msg(LOG_NOTICE, "Cannot change priority in " ++ "reconfigure (%s)", strerror(errno)); ++ do_disk_error_action("reconfig", data->config, ++ saved_errno); ++ } + } + + // log format +Index: audit-2.2.2/audisp/audispd.c +=================================================================== +--- audit-2.2.2.orig/audisp/audispd.c 2013-02-08 18:20:21.479227078 -0800 ++++ audit-2.2.2/audisp/audispd.c 2013-02-08 18:20:21.511227076 -0800 +@@ -369,9 +369,11 @@ + + /* Now boost priority to make sure we are getting time slices */ + if (daemon_config.priority_boost != 0) { ++ int rc; ++ + errno = 0; +- (void) nice((int)-daemon_config.priority_boost); +- if (errno) { ++ rc = nice((int)-daemon_config.priority_boost); ++ if (rc == -1 && errno) { + syslog(LOG_ERR, "Cannot change priority (%s)", + strerror(errno)); + /* Stay alive as this is better than stopping */ +Index: audit-2.2.2/src/autrace.c +=================================================================== +--- audit-2.2.2.orig/src/autrace.c 2013-02-08 18:16:17.643218420 -0800 ++++ audit-2.2.2/src/autrace.c 2013-02-08 18:20:21.511227076 -0800 +@@ -245,7 +245,11 @@ + exit(1); + } + sleep(1); +- (void)write(fd[1],"1", 1); ++ if (write(fd[1],"1", 1) != 1) { ++ kill(pid,SIGTERM); ++ (void)delete_all_rules(audit_fd); ++ exit(1); ++ } + waitpid(pid, NULL, 0); + close(fd[1]); + puts("Cleaning up..."); diff -Nru audit-2.2.2/debian/patches/series audit-2.2.2/debian/patches/series --- audit-2.2.2/debian/patches/series 2012-12-21 08:19:34.000000000 -0800 +++ audit-2.2.2/debian/patches/series 2013-02-08 17:39:48.000000000 -0800 @@ -2,3 +2,6 @@ manpage-dash.diff fix-make-check.diff FTBFS-python-multiarch.diff +fix-asprintf-warnings.patch +fix-unused-result-warnings.patch +fix-discards-const-qualifier-warnings.patch