Shouldn't add -Wformat-security and -Werror=format-security arguments if -Wno-format or -Wno-format-security is specified by the caller

Bug #1347257 reported by Chris Coulson
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
hardening-wrapper (Ubuntu)
Fix Released
Undecided
Unassigned
Trusty
Fix Released
Undecided
Unassigned

Bug Description

SRU Justification:
[Impact]
Some builds may fail because of the way hardening-wrapper adds flags to compilers.
[Test Case]
Try to compile firefox with hardening-wrapper installed.
[Regression Potential]
This changes the perl script to check if these options already exists so it doesn't read add them.

--

Proposing to backport this unchanged to trusty. The patch is attached below in a comment. Verified that the additional parameters are not added.

Firefox currently fails to build in utopic with the following error:

c++ -o hexdump.o -c -I../../dist/stl_wrappers -I../../dist/system_wrappers -include /build/buildd/firefox-32.0~b1+build1/config/gcc_hidden.h -DANDROID_SMP=0 -DLOG_NDEBUG=0 -D_GLIBCXX_OS_DEFINES -DHAVE_SYS_UIO_H -DFAKE_LOG_DEVICE -DMOZ_GLUE_IN_PROGRAM -DMOZILLA_INTERNAL_API -DIMPL_LIBXUL -DSTATIC_EXPORTABLE_JS_API -DNO_NSPR_10_SUPPORT -I/build/buildd/firefox-32.0~b1+build1/media/libstagefright -I. -I/build/buildd/firefox-32.0~b1+build1/media/libstagefright/binding/include -I/build/buildd/firefox-32.0~b1+build1/media/libstagefright/frameworks/av/include -I/build/buildd/firefox-32.0~b1+build1/media/libstagefright/frameworks/av/include/media/stagefright/foundation -I/build/buildd/firefox-32.0~b1+build1/media/libstagefright/frameworks/av/media/libstagefright/ -I/build/buildd/firefox-32.0~b1+build1/media/libstagefright/stubs/empty -I/build/buildd/firefox-32.0~b1+build1/media/libstagefright/stubs/include -I/build/buildd/firefox-32.0~b1+build1/media/libstagefright/stubs/include/media/stagefright/foundation -I/build/buildd/firefox-32.0~b1+build1/media/libstagefright/system/core/include -I../../dist/include -I/build/buildd/firefox-32.0~b1+build1/obj-x86_64-linux-gnu/dist/include/nspr -I/build/buildd/firefox-32.0~b1+build1/obj-x86_64-linux-gnu/dist/include/nss -I/build/buildd/firefox-32.0~b1+build1/obj-x86_64-linux-gnu/dist/include -I/build/buildd/firefox-32.0~b1+build1/modules/zlib/src -fPIC -DMOZILLA_CLIENT -include ../../mozilla-config.h -MD -MP -MF .deps/hexdump.o.pp -Wall -Wpointer-arith -Woverloaded-virtual -Werror=return-type -Werror=int-to-pointer-cast -Wtype-limits -Wempty-body -Wsign-compare -Wno-invalid-offsetof -Wcast-align -fno-exceptions -fno-strict-aliasing -fno-rtti -ffunction-sections -fdata-sections -fno-exceptions -fno-math-errno -std=gnu++0x -pthread -pipe -DNDEBUG -DTRIMMED -g -Os -freorder-blocks -fomit-frame-pointer -Wno-format -Wno-multichar -Wno-sign-compare -Wno-unused /build/buildd/firefox-32.0~b1+build1/media/libstagefright/frameworks/av/media/libstagefright/foundation/hexdump.cpp
cc1plus: error: -Wformat-security ignored without -Wformat [-Werror=format-security]
cc1plus: some warnings being treated as errors
/build/buildd/firefox-32.0~b1+build1/config/rules.mk:1001: recipe for target 'hexdump.o' failed
make[6]: *** [hexdump.o] Error 1

https://launchpadlibrarian.net/180524763/buildlog_ubuntu-utopic-amd64.firefox_32.0~b1%2Bbuild1-0ubuntu1_FAILEDTOBUILD.txt.gz

Firefox is built with hardening-wrapper (including the format string hardening), but it specifies -Wno-format just for the code in this subdirectory - presumably because this is a third-party module

Revision history for this message
Steve Beattie (sbeattie) wrote :

Here's a patch that should fix this. Chris, can you test it?

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "hardening-wrapper_2.5ubuntu3.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Revision history for this message
Chris Coulson (chrisccoulson) wrote :

Thanks - I've just tested this locally and it seems to do the trick

Revision history for this message
Martin Pitt (pitti) wrote :

Sponsored, thanks!

Changed in hardening-wrapper (Ubuntu):
status: New → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package hardening-wrapper - 2.5ubuntu3

---------------
hardening-wrapper (2.5ubuntu3) utopic; urgency=medium

  * hardened-cc: don't set -Wformat options if they are already set
    (LP: #1347257)
 -- Steve Beattie <email address hidden> Thu, 24 Jul 2014 15:55:40 -0700

Changed in hardening-wrapper (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Matthias Klose (doko) wrote :
description: updated
Revision history for this message
Sebastien Bacher (seb128) wrote :

the upload is in the queue, unsubscribing the sponsors

Changed in hardening-wrapper (Ubuntu Trusty):
status: New → Fix Committed
Revision history for this message
Chris J Arges (arges) wrote : Please test proposed package

Hello Chris, or anyone else affected,

Accepted hardening-wrapper into trusty-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/hardening-wrapper/2.5ubuntu2.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

description: updated
tags: added: verification-needed
Revision history for this message
Matthias Klose (doko) wrote :

checked that these flags are not added anymore in a firefox build.

tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package hardening-wrapper - 2.5ubuntu2.1

---------------
hardening-wrapper (2.5ubuntu2.1) trusty-proposed; urgency=medium

  [ Backport from 14.10 ]
  * hardened-cc: don't set -Wformat options if they are already set
    (LP: #1347257)
 -- Matthias Klose <email address hidden> Tue, 07 Oct 2014 17:10:55 +0200

Changed in hardening-wrapper (Ubuntu Trusty):
status: Fix Committed → Fix Released
Revision history for this message
Chris J Arges (arges) wrote : Update Released

The verification of the Stable Release Update for hardening-wrapper has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers