php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #63228 -Werror=format-security error in lsapi code
Submitted: 2012-10-06 11:11 UTC Modified: 2014-10-11 09:04 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: glen at delfi dot ee Assigned: gwang (profile)
Status: Closed Package: Compile Failure
PHP Version: 5.4.7, 5.6, master OS:
Private report: No CVE-ID: None
 [2012-10-06 11:11 UTC] glen at delfi dot ee
Description:
------------
php-5.4.7/sapi/litespeed/lsapi_main.c:606:5: error: format not a string literal 
and no format arguments [-Werror=format-security]

full log:

/bin/sh /home/users/glen/rpm/packages/BUILD.x86_64-linux/php-5.4.7/libtool --
silent --preserve-dup-deps --mode=compile ccache x86_64-pld-linux-gcc  -
Isapi/litespeed/ -I/home/users/glen/rpm/packages/BUILD.x86_64-linux/php-
5.4.7/sapi/litespeed/ -DPHP_ATOM_INC -
I/home/users/glen/rpm/packages/BUILD.x86_64-linux/php-5.4.7/include -
I/home/users/glen/rpm/packages/BUILD.x86_64-linux/php-5.4.7/main -
I/home/users/glen/rpm/packages/BUILD.x86_64-linux/php-5.4.7 -
I/home/users/glen/rpm/packages/BUILD.x86_64-linux/php-5.4.7/ext/date/lib -
I/usr/include/libxml2 -I/usr/include/openssl -I/usr/include/enchant -
I/usr/include/freetype2 -I/usr/include/imap -
I/home/users/glen/rpm/packages/BUILD.x86_64-linux/php-
5.4.7/ext/mbstring/oniguruma -I/home/users/glen/rpm/packages/BUILD.x86_64-
linux/php-5.4.7/ext/mbstring/libmbfl -
I/home/users/glen/rpm/packages/BUILD.x86_64-linux/php-
5.4.7/ext/mbstring/libmbfl/mbfl -I/usr/include/mysql -I/usr/include/pspell -
I/home/users/glen/rpm/packages/BUILD.x86_64-linux/php-5.4.7/TSRM -
I/home/users/glen/rpm/packages/BUILD.x86_64-linux/php-5.4.7/Zend  -
DDEBUG_FASTCGI -DHAVE_STRNDUP -I/usr/include/xmlrpc-epi  -I/usr/include -O2 -
fwrapv -pipe -Wformat -Werror=format-security -gdwarf-4 -fno-debug-types-section 
-fvar-tracking-assignments -g2 -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --
param=ssp-buffer-size=4 -fPIC -march=x86-64 -gdwarf-4 -fno-debug-types-section -
fvar-tracking-assignments -g2  -c /home/users/glen/rpm/packages/BUILD.x86_64-
linux/php-5.4.7/sapi/litespeed/lsapi_main.c -o sapi/litespeed/lsapi_main.lo
/home/users/glen/rpm/packages/BUILD.x86_64-linux/php-
5.4.7/sapi/litespeed/lsapi_main.c: In function 'cli_usage':
/home/users/glen/rpm/packages/BUILD.x86_64-linux/php-
5.4.7/sapi/litespeed/lsapi_main.c:606:5: error: format not a string literal and 
no format arguments [-Werror=format-security]
cc1: some warnings being treated as errors
make: *** [sapi/litespeed/lsapi_main.lo] Error 1
make: *** Waiting for unfinished jobs....



Patches

printf-format.patch (last revision 2012-10-06 11:11 UTC by glen at delfi dot ee)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-10-07 16:37 UTC] johannes@php.net
-Assigned To: +Assigned To: gwang
 [2012-10-12 17:30 UTC] gwang@php.net
Automatic comment on behalf of gwang
Revision: http://git.php.net/?p=php-src.git;a=commit;h=22611b8d3774cff379cc51666842ab4b8a2eaf7f
Log: sapi/litespeed/lsapi_main.c: Fix bug #63228
 [2012-10-12 17:30 UTC] gwang@php.net
-Status: Assigned +Status: Closed
 [2012-11-09 09:24 UTC] glen at delfi dot ee
-Status: Closed +Status: Assigned
 [2012-11-09 09:24 UTC] glen at delfi dot ee
code still not fixed in 5.4.8, what branch did you fix?! :o
 [2012-11-16 18:01 UTC] gwang@php.net
Thank you for your bug report. This issue has already been fixed
in the latest released version of PHP, which you can download at 
http://www.php.net/downloads.php


 [2012-11-16 18:01 UTC] gwang@php.net
-Status: Assigned +Status: Closed
 [2012-12-17 17:57 UTC] glen at delfi dot ee
hey!

this is not funny! the commit is not appearing in 5.4.9 release tarball either, 
please reply where did you commit the fix instead closing it again silently...
 [2012-12-17 17:57 UTC] glen at delfi dot ee
-Status: Closed +Status: Assigned
 [2012-12-18 07:39 UTC] glen at delfi dot ee
step by step proof that it's not fixed:

$ wget http://php.net/get/php-5.4.9.tar.bz2/from/this/mirror -O php-
5.4.9.tar.bz2
$ tar xjf php-5.4.9.tar.bz2
$ grep -n usage php-5.4.9/sapi/litespeed/lsapi_main.c 
586:static void cli_usage( TSRMLS_D )
588:    static const char * usage =
606:    php_printf( usage );
744:                cli_usage(TSRMLS_C);
788:                cli_usage(TSRMLS_C);
 [2012-12-28 17:04 UTC] gwang@php.net
-Status: Assigned +Status: Closed
 [2012-12-28 17:04 UTC] gwang@php.net
Thank you for your bug report. This issue has already been fixed
in the latest released version of PHP, which you can download at 
http://www.php.net/downloads.php


 [2012-12-29 14:28 UTC] glen at delfi dot ee
this is idiotic already. why are you closing this bug with description it is 
fixed when it is not?!

as wrigint of this note (2012-12-29), downloads page says:

PHP 5.4.10 (Current stable)

Complete Source Code

PHP 5.4.10 (tar.bz2) [10,885Kb] - 20 Dec 2012
md5: cb716b657a30570b9b468b9e7bc551a1


and the patch is NOT APPLIED in that release

even if you commit is included in php repo, THE COMMIT IS NOT APPEARING in 5.4 
series. re-merge the commit or cherry pick it!

last commit to the file in 5.4 is 4 months ago, while your commit is 3 months 
old

https://github.com/php/php-src/blob/PHP-5.4.10/sapi/litespeed/lsapi_main.c
https://github.com/php/php-src/commits/PHP-5.4.10/sapi/litespeed/lsapi_main.c
http://i.imgur.com/uqlx3.png
 [2012-12-29 14:28 UTC] glen at delfi dot ee
-Status: Closed +Status: Assigned
 [2013-01-08 03:47 UTC] aharvey@php.net
-Status: Assigned +Status: Closed
 [2013-01-08 03:47 UTC] aharvey@php.net
Automatic comment on behalf of gwang
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9c52d09ebc62683f26338123bcda8068f162541d
Log: sapi/litespeed/lsapi_main.c: Fix bug #63228
 [2013-01-08 03:48 UTC] aharvey@php.net
Cherry picked and remerged, since this was clearly intended for 5.4: https://github.com/php/php-src/commit/9c52d09ebc62683f26338123bcda8068f162541d

This has missed 5.4.11, but should be in PHP 5.4.12.
 [2013-01-08 09:47 UTC] glen at delfi dot ee
thanks! finally!
 [2013-01-12 16:39 UTC] derick@php.net
Automatic comment on behalf of gwang
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9c52d09ebc62683f26338123bcda8068f162541d
Log: sapi/litespeed/lsapi_main.c: Fix bug #63228
 [2013-11-17 09:32 UTC] laruence@php.net
Automatic comment on behalf of gwang
Revision: http://git.php.net/?p=php-src.git;a=commit;h=22611b8d3774cff379cc51666842ab4b8a2eaf7f
Log: sapi/litespeed/lsapi_main.c: Fix bug #63228
 [2014-04-22 03:00 UTC] glen at delfi dot ee
-Status: Closed +Status: Assigned
 [2014-04-22 03:00 UTC] glen at delfi dot ee
cmon, this is SUPER ANNOYING already, the patch is still not applied to 5.6 branch, can it be finally applied to all maintained branches?!

ps the patch attached to ticket applies cleanly to 5.6.0beta1 version and current git master
 [2014-04-22 03:02 UTC] glen at delfi dot ee
-Status: Assigned +Status: Open -PHP Version: 5.4.7 +PHP Version: 5.4.7, 5.6, master
 [2014-04-22 03:02 UTC] glen at delfi dot ee
affects multiple versions, and seems PHP version can't be cleared so filling with comma separation
 [2014-04-22 13:47 UTC] felipe@php.net
Automatic comment on behalf of gwang
Revision: http://git.php.net/?p=php-src.git;a=commit;h=742f4704a97844654bde3f9f054e6678ef897a1a
Log: sapi/litespeed/lsapi_main.c: Fix bug #63228
 [2014-04-22 13:47 UTC] felipe@php.net
-Status: Open +Status: Closed
 [2014-04-22 13:49 UTC] felipe@php.net
I've pushed to 5.6 and master, since 5.4 already has the fix. Thanks for reporting!
 [2014-04-25 23:25 UTC] ab@php.net
Automatic comment on behalf of gwang
Revision: http://git.php.net/?p=php-src.git;a=commit;h=742f4704a97844654bde3f9f054e6678ef897a1a
Log: sapi/litespeed/lsapi_main.c: Fix bug #63228
 [2014-04-25 23:29 UTC] ab@php.net
Automatic comment on behalf of gwang
Revision: http://git.php.net/?p=php-src.git;a=commit;h=742f4704a97844654bde3f9f054e6678ef897a1a
Log: sapi/litespeed/lsapi_main.c: Fix bug #63228
 [2014-05-01 14:59 UTC] tyrael@php.net
Automatic comment on behalf of gwang
Revision: http://git.php.net/?p=php-src.git;a=commit;h=742f4704a97844654bde3f9f054e6678ef897a1a
Log: sapi/litespeed/lsapi_main.c: Fix bug #63228
 [2014-05-02 08:18 UTC] glen at delfi dot ee
btw, why in NEWS is "George Wang" name not "Elan Ruusamäe" ? I reported and fixed it (provided patch)
 [2014-05-02 17:27 UTC] aharvey@php.net
I suspect it happened by accident: I think the NEWS was added later by someone else and they probably just worked off the committer name.

I've fixed it up (on all branches) to include you. Sorry about that!
 [2014-05-02 20:28 UTC] tyrael@php.net
it is as Adam guessed, Felipe cherry-picked/merged this commit into 5.6 and master but forgot to add a NEWS entry, and when I noticed, I used the commiter name without looking more into it.
sorry for the inconvenience, and thanks for the report and the patch!
 [2014-10-07 23:20 UTC] stas@php.net
Automatic comment on behalf of gwang
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=9c52d09ebc62683f26338123bcda8068f162541d
Log: sapi/litespeed/lsapi_main.c: Fix bug #63228
 [2014-10-07 23:31 UTC] stas@php.net
Automatic comment on behalf of gwang
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=9c52d09ebc62683f26338123bcda8068f162541d
Log: sapi/litespeed/lsapi_main.c: Fix bug #63228
 [2014-10-11 06:38 UTC] wofaday at qq dot com
this is a bug for php 5.6.1,why no body pay close attention to this ,and nobody to  modify to this ?
if you use php 5.6.1 make,it will show :
make: *** [sapi/litespeed/lsapi_main.lo] Error 1

but php 5.6.0 is ok
 [2014-10-11 09:04 UTC] glen at delfi dot ee
make new bugreport, and include actual error (all compile failures exit with status 1). your report is not related to this bugreport. stop hijacking issues!
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 05:01:29 2024 UTC