Shouldn't add -Wformat-security and -Werror=format-security arguments if -Wno-format or -Wno-format-security is specified by the caller

Bug #1347257 reported by Chris Coulson
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
hardening-wrapper (Ubuntu)
Fix Released
Undecided
Unassigned
Trusty
Fix Released
Undecided
Unassigned

Bug Description

SRU Justification:
[Impact]
Some builds may fail because of the way hardening-wrapper adds flags to compilers.
[Test Case]
Try to compile firefox with hardening-wrapper installed.
[Regression Potential]
This changes the perl script to check if these options already exists so it doesn't read add them.

--

Proposing to backport this unchanged to trusty. The patch is attached below in a comment. Verified that the additional parameters are not added.

Firefox currently fails to build in utopic with the following error:

c++ -o hexdump.o -c -I../../dist/stl_wrappers -I../../dist/system_wrappers -include /build/buildd/firefox-32.0~b1+build1/config/gcc_hidden.h -DANDROID_SMP=0 -DLOG_NDEBUG=0 -D_GLIBCXX_OS_DEFINES -DHAVE_SYS_UIO_H -DFAKE_LOG_DEVICE -DMOZ_GLUE_IN_PROGRAM -DMOZILLA_INTERNAL_API -DIMPL_LIBXUL -DSTATIC_EXPORTABLE_JS_API -DNO_NSPR_10_SUPPORT -I/build/buildd/firefox-32.0~b1+build1/media/libstagefright -I. -I/build/buildd/firefox-32.0~b1+build1/media/libstagefright/binding/include -I/build/buildd/firefox-32.0~b1+build1/media/libstagefright/frameworks/av/include -I/build/buildd/firefox-32.0~b1+build1/media/libstagefright/frameworks/av/include/media/stagefright/foundation -I/build/buildd/firefox-32.0~b1+build1/media/libstagefright/frameworks/av/media/libstagefright/ -I/build/buildd/firefox-32.0~b1+build1/media/libstagefright/stubs/empty -I/build/buildd/firefox-32.0~b1+build1/media/libstagefright/stubs/include -I/build/buildd/firefox-32.0~b1+build1/media/libstagefright/stubs/include/media/stagefright/foundation -I/build/buildd/firefox-32.0~b1+build1/media/libstagefright/system/core/include -I../../dist/include -I/build/buildd/firefox-32.0~b1+build1/obj-x86_64-linux-gnu/dist/include/nspr -I/build/buildd/firefox-32.0~b1+build1/obj-x86_64-linux-gnu/dist/include/nss -I/build/buildd/firefox-32.0~b1+build1/obj-x86_64-linux-gnu/dist/include -I/build/buildd/firefox-32.0~b1+build1/modules/zlib/src -fPIC -DMOZILLA_CLIENT -include ../../mozilla-config.h -MD -MP -MF .deps/hexdump.o.pp -Wall -Wpointer-arith -Woverloaded-virtual -Werror=return-type -Werror=int-to-pointer-cast -Wtype-limits -Wempty-body -Wsign-compare -Wno-invalid-offsetof -Wcast-align -fno-exceptions -fno-strict-aliasing -fno-rtti -ffunction-sections -fdata-sections -fno-exceptions -fno-math-errno -std=gnu++0x -pthread -pipe -DNDEBUG -DTRIMMED -g -Os -freorder-blocks -fomit-frame-pointer -Wno-format -Wno-multichar -Wno-sign-compare -Wno-unused /build/buildd/firefox-32.0~b1+build1/media/libstagefright/frameworks/av/media/libstagefright/foundation/hexdump.cpp
cc1plus: error: -Wformat-security ignored without -Wformat [-Werror=format-security]
cc1plus: some warnings being treated as errors
/build/buildd/firefox-32.0~b1+build1/config/rules.mk:1001: recipe for target 'hexdump.o' failed
make[6]: *** [hexdump.o] Error 1

https://launchpadlibrarian.net/180524763/buildlog_ubuntu-utopic-amd64.firefox_32.0~b1%2Bbuild1-0ubuntu1_FAILEDTOBUILD.txt.gz

Firefox is built with hardening-wrapper (including the format string hardening), but it specifies -Wno-format just for the code in this subdirectory - presumably because this is a third-party module

Revision history for this message
Steve Beattie (sbeattie) wrote :

Here's a patch that should fix this. Chris, can you test it?

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "hardening-wrapper_2.5ubuntu3.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Revision history for this message
Chris Coulson (chrisccoulson) wrote :

Thanks - I've just tested this locally and it seems to do the trick

Revision history for this message
Martin Pitt (pitti) wrote :

Sponsored, thanks!

Changed in hardening-wrapper (Ubuntu):
status: New → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package hardening-wrapper - 2.5ubuntu3

---------------
hardening-wrapper (2.5ubuntu3) utopic; urgency=medium

  * hardened-cc: don't set -Wformat options if they are already set
    (LP: #1347257)
 -- Steve Beattie <email address hidden> Thu, 24 Jul 2014 15:55:40 -0700

Changed in hardening-wrapper (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Matthias Klose (doko) wrote :
description: updated
Revision history for this message
Sebastien Bacher (seb128) wrote :

the upload is in the queue, unsubscribing the sponsors

Changed in hardening-wrapper (Ubuntu Trusty):
status: New → Fix Committed
Revision history for this message
Chris J Arges (arges) wrote : Please test proposed package

Hello Chris, or anyone else affected,

Accepted hardening-wrapper into trusty-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/hardening-wrapper/2.5ubuntu2.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

description: updated
tags: added: verification-needed
Revision history for this message
Matthias Klose (doko) wrote :

checked that these flags are not added anymore in a firefox build.

tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package hardening-wrapper - 2.5ubuntu2.1

---------------
hardening-wrapper (2.5ubuntu2.1) trusty-proposed; urgency=medium

  [ Backport from 14.10 ]
  * hardened-cc: don't set -Wformat options if they are already set
    (LP: #1347257)
 -- Matthias Klose <email address hidden> Tue, 07 Oct 2014 17:10:55 +0200

Changed in hardening-wrapper (Ubuntu Trusty):
status: Fix Committed → Fix Released
Revision history for this message
Chris J Arges (arges) wrote : Update Released

The verification of the Stable Release Update for hardening-wrapper has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.