php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #63228 -Werror=format-security error in lsapi code
Submitted: 2012-10-06 11:11 UTC Modified: 2013-01-08 09:47 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: glen at delfi dot ee Assigned: gwang
Status: Closed Package: Compile Failure
PHP Version: 5.4.7 OS:
Private report: No CVE-ID:
 [2012-10-06 11:11 UTC] glen at delfi dot ee
Description:
------------
php-5.4.7/sapi/litespeed/lsapi_main.c:606:5: error: format not a string literal 
and no format arguments [-Werror=format-security]

full log:

/bin/sh /home/users/glen/rpm/packages/BUILD.x86_64-linux/php-5.4.7/libtool --
silent --preserve-dup-deps --mode=compile ccache x86_64-pld-linux-gcc  -
Isapi/litespeed/ -I/home/users/glen/rpm/packages/BUILD.x86_64-linux/php-
5.4.7/sapi/litespeed/ -DPHP_ATOM_INC -
I/home/users/glen/rpm/packages/BUILD.x86_64-linux/php-5.4.7/include -
I/home/users/glen/rpm/packages/BUILD.x86_64-linux/php-5.4.7/main -
I/home/users/glen/rpm/packages/BUILD.x86_64-linux/php-5.4.7 -
I/home/users/glen/rpm/packages/BUILD.x86_64-linux/php-5.4.7/ext/date/lib -
I/usr/include/libxml2 -I/usr/include/openssl -I/usr/include/enchant -
I/usr/include/freetype2 -I/usr/include/imap -
I/home/users/glen/rpm/packages/BUILD.x86_64-linux/php-
5.4.7/ext/mbstring/oniguruma -I/home/users/glen/rpm/packages/BUILD.x86_64-
linux/php-5.4.7/ext/mbstring/libmbfl -
I/home/users/glen/rpm/packages/BUILD.x86_64-linux/php-
5.4.7/ext/mbstring/libmbfl/mbfl -I/usr/include/mysql -I/usr/include/pspell -
I/home/users/glen/rpm/packages/BUILD.x86_64-linux/php-5.4.7/TSRM -
I/home/users/glen/rpm/packages/BUILD.x86_64-linux/php-5.4.7/Zend  -
DDEBUG_FASTCGI -DHAVE_STRNDUP -I/usr/include/xmlrpc-epi  -I/usr/include -O2 -
fwrapv -pipe -Wformat -Werror=format-security -gdwarf-4 -fno-debug-types-section 
-fvar-tracking-assignments -g2 -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --
param=ssp-buffer-size=4 -fPIC -march=x86-64 -gdwarf-4 -fno-debug-types-section -
fvar-tracking-assignments -g2  -c /home/users/glen/rpm/packages/BUILD.x86_64-
linux/php-5.4.7/sapi/litespeed/lsapi_main.c -o sapi/litespeed/lsapi_main.lo
/home/users/glen/rpm/packages/BUILD.x86_64-linux/php-
5.4.7/sapi/litespeed/lsapi_main.c: In function 'cli_usage':
/home/users/glen/rpm/packages/BUILD.x86_64-linux/php-
5.4.7/sapi/litespeed/lsapi_main.c:606:5: error: format not a string literal and 
no format arguments [-Werror=format-security]
cc1: some warnings being treated as errors
make: *** [sapi/litespeed/lsapi_main.lo] Error 1
make: *** Waiting for unfinished jobs....



Patches

printf-format.patch (last revision 2012-10-06 11:11 UTC) by glen at delfi dot ee)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-10-07 16:37 UTC] johannes@php.net
-Assigned To: +Assigned To: gwang
 [2012-10-12 17:30 UTC] gwang@php.net
Automatic comment on behalf of gwang
Revision: http://git.php.net/?p=php-src.git;a=commit;h=22611b8d3774cff379cc51666842ab4b8a2eaf7f
Log: sapi/litespeed/lsapi_main.c: Fix bug #63228
 [2012-10-12 17:30 UTC] gwang@php.net
-Status: Assigned +Status: Closed
 [2012-11-09 09:24 UTC] glen at delfi dot ee
-Status: Closed +Status: Assigned
 [2012-11-09 09:24 UTC] glen at delfi dot ee
code still not fixed in 5.4.8, what branch did you fix?! :o
 [2012-11-16 18:01 UTC] gwang@php.net
Thank you for your bug report. This issue has already been fixed
in the latest released version of PHP, which you can download at 
http://www.php.net/downloads.php


 [2012-11-16 18:01 UTC] gwang@php.net
-Status: Assigned +Status: Closed
 [2012-12-17 17:57 UTC] glen at delfi dot ee
hey!

this is not funny! the commit is not appearing in 5.4.9 release tarball either, 
please reply where did you commit the fix instead closing it again silently...
 [2012-12-17 17:57 UTC] glen at delfi dot ee
-Status: Closed +Status: Assigned
 [2012-12-18 07:39 UTC] glen at delfi dot ee
step by step proof that it's not fixed:

$ wget http://php.net/get/php-5.4.9.tar.bz2/from/this/mirror -O php-
5.4.9.tar.bz2
$ tar xjf php-5.4.9.tar.bz2
$ grep -n usage php-5.4.9/sapi/litespeed/lsapi_main.c 
586:static void cli_usage( TSRMLS_D )
588:    static const char * usage =
606:    php_printf( usage );
744:                cli_usage(TSRMLS_C);
788:                cli_usage(TSRMLS_C);
 [2012-12-28 17:04 UTC] gwang@php.net
-Status: Assigned +Status: Closed
 [2012-12-28 17:04 UTC] gwang@php.net
Thank you for your bug report. This issue has already been fixed
in the latest released version of PHP, which you can download at 
http://www.php.net/downloads.php


 [2012-12-29 14:28 UTC] glen at delfi dot ee
this is idiotic already. why are you closing this bug with description it is 
fixed when it is not?!

as wrigint of this note (2012-12-29), downloads page says:

PHP 5.4.10 (Current stable)

Complete Source Code

PHP 5.4.10 (tar.bz2) [10,885Kb] - 20 Dec 2012
md5: cb716b657a30570b9b468b9e7bc551a1


and the patch is NOT APPLIED in that release

even if you commit is included in php repo, THE COMMIT IS NOT APPEARING in 5.4 
series. re-merge the commit or cherry pick it!

last commit to the file in 5.4 is 4 months ago, while your commit is 3 months 
old

https://github.com/php/php-src/blob/PHP-5.4.10/sapi/litespeed/lsapi_main.c
https://github.com/php/php-src/commits/PHP-5.4.10/sapi/litespeed/lsapi_main.c
http://i.imgur.com/uqlx3.png
 [2012-12-29 14:28 UTC] glen at delfi dot ee
-Status: Closed +Status: Assigned
 [2013-01-08 03:47 UTC] aharvey@php.net
-Status: Assigned +Status: Closed
 [2013-01-08 03:47 UTC] aharvey@php.net
Automatic comment on behalf of gwang
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9c52d09ebc62683f26338123bcda8068f162541d
Log: sapi/litespeed/lsapi_main.c: Fix bug #63228
 [2013-01-08 03:48 UTC] aharvey@php.net
Cherry picked and remerged, since this was clearly intended for 5.4: https://github.com/php/php-src/commit/9c52d09ebc62683f26338123bcda8068f162541d

This has missed 5.4.11, but should be in PHP 5.4.12.
 [2013-01-08 09:47 UTC] glen at delfi dot ee
thanks! finally!
 [2013-01-12 16:39 UTC] derick@php.net
Automatic comment on behalf of gwang
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9c52d09ebc62683f26338123bcda8068f162541d
Log: sapi/litespeed/lsapi_main.c: Fix bug #63228
 [2013-11-17 09:32 UTC] laruence@php.net
Automatic comment on behalf of gwang
Revision: http://git.php.net/?p=php-src.git;a=commit;h=22611b8d3774cff379cc51666842ab4b8a2eaf7f
Log: sapi/litespeed/lsapi_main.c: Fix bug #63228
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sun Apr 20 01:02:05 2014 UTC