Home Original page

-Werror=format-security error in lsapi code

Bug #63228 -Werror=format-security error in lsapi code
Submitted: 2012-10-06 11:11 UTC Modified: 2014-10-11 09:04 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: glen at delfi dot ee Assigned: gwang (profile)
Status: Closed Package: Compile Failure
PHP Version: 5.4.7, 5.6, master OS:
Private report: No CVE-ID: None

 [2012-10-06 11:11 UTC] glen at delfi dot ee

Description:
------------
php-5.4.7/sapi/litespeed/lsapi_main.c:606:5: error: format not a string literal 
and no format arguments [-Werror=format-security]

full log:

/bin/sh /home/users/glen/rpm/packages/BUILD.x86_64-linux/php-5.4.7/libtool --
silent --preserve-dup-deps --mode=compile ccache x86_64-pld-linux-gcc  -
Isapi/litespeed/ -I/home/users/glen/rpm/packages/BUILD.x86_64-linux/php-
5.4.7/sapi/litespeed/ -DPHP_ATOM_INC -
I/home/users/glen/rpm/packages/BUILD.x86_64-linux/php-5.4.7/include -
I/home/users/glen/rpm/packages/BUILD.x86_64-linux/php-5.4.7/main -
I/home/users/glen/rpm/packages/BUILD.x86_64-linux/php-5.4.7 -
I/home/users/glen/rpm/packages/BUILD.x86_64-linux/php-5.4.7/ext/date/lib -
I/usr/include/libxml2 -I/usr/include/openssl -I/usr/include/enchant -
I/usr/include/freetype2 -I/usr/include/imap -
I/home/users/glen/rpm/packages/BUILD.x86_64-linux/php-
5.4.7/ext/mbstring/oniguruma -I/home/users/glen/rpm/packages/BUILD.x86_64-
linux/php-5.4.7/ext/mbstring/libmbfl -
I/home/users/glen/rpm/packages/BUILD.x86_64-linux/php-
5.4.7/ext/mbstring/libmbfl/mbfl -I/usr/include/mysql -I/usr/include/pspell -
I/home/users/glen/rpm/packages/BUILD.x86_64-linux/php-5.4.7/TSRM -
I/home/users/glen/rpm/packages/BUILD.x86_64-linux/php-5.4.7/Zend  -
DDEBUG_FASTCGI -DHAVE_STRNDUP -I/usr/include/xmlrpc-epi  -I/usr/include -O2 -
fwrapv -pipe -Wformat -Werror=format-security -gdwarf-4 -fno-debug-types-section 
-fvar-tracking-assignments -g2 -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --
param=ssp-buffer-size=4 -fPIC -march=x86-64 -gdwarf-4 -fno-debug-types-section -
fvar-tracking-assignments -g2  -c /home/users/glen/rpm/packages/BUILD.x86_64-
linux/php-5.4.7/sapi/litespeed/lsapi_main.c -o sapi/litespeed/lsapi_main.lo
/home/users/glen/rpm/packages/BUILD.x86_64-linux/php-
5.4.7/sapi/litespeed/lsapi_main.c: In function 'cli_usage':
/home/users/glen/rpm/packages/BUILD.x86_64-linux/php-
5.4.7/sapi/litespeed/lsapi_main.c:606:5: error: format not a string literal and 
no format arguments [-Werror=format-security]
cc1: some warnings being treated as errors
make: *** [sapi/litespeed/lsapi_main.lo] Error 1
make: *** Waiting for unfinished jobs....

Patches

printf-format.patch (last revision 2012-10-06 11:11 UTC by glen at delfi dot ee)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

 [2012-10-12 17:30 UTC] gwang@php.net

-Status: Assigned +Status: Closed

 [2012-11-09 09:24 UTC] glen at delfi dot ee

-Status: Closed +Status: Assigned

 [2012-11-09 09:24 UTC] glen at delfi dot ee

code still not fixed in 5.4.8, what branch did you fix?! :o

 [2012-11-16 18:01 UTC] gwang@php.net

-Status: Assigned +Status: Closed

 [2012-12-17 17:57 UTC] glen at delfi dot ee

hey!

this is not funny! the commit is not appearing in 5.4.9 release tarball either, 
please reply where did you commit the fix instead closing it again silently...

 [2012-12-17 17:57 UTC] glen at delfi dot ee

-Status: Closed +Status: Assigned

 [2012-12-18 07:39 UTC] glen at delfi dot ee

step by step proof that it's not fixed:

$ wget http://php.net/get/php-5.4.9.tar.bz2/from/this/mirror -O php-
5.4.9.tar.bz2
$ tar xjf php-5.4.9.tar.bz2
$ grep -n usage php-5.4.9/sapi/litespeed/lsapi_main.c 
586:static void cli_usage( TSRMLS_D )
588:    static const char * usage =
606:    php_printf( usage );
744:                cli_usage(TSRMLS_C);
788:                cli_usage(TSRMLS_C);

 [2012-12-28 17:04 UTC] gwang@php.net

-Status: Assigned +Status: Closed

 [2012-12-29 14:28 UTC] glen at delfi dot ee

-Status: Closed +Status: Assigned

 [2013-01-08 09:47 UTC] glen at delfi dot ee

thanks! finally!

 [2014-04-22 03:00 UTC] glen at delfi dot ee

-Status: Closed +Status: Assigned

 [2014-04-22 03:00 UTC] glen at delfi dot ee

cmon, this is SUPER ANNOYING already, the patch is still not applied to 5.6 branch, can it be finally applied to all maintained branches?!

ps the patch attached to ticket applies cleanly to 5.6.0beta1 version and current git master

 [2014-04-22 03:02 UTC] glen at delfi dot ee

-Status: Assigned +Status: Open -PHP Version: 5.4.7 +PHP Version: 5.4.7, 5.6, master

 [2014-04-22 03:02 UTC] glen at delfi dot ee

affects multiple versions, and seems PHP version can't be cleared so filling with comma separation

 [2014-04-22 13:49 UTC] felipe@php.net

I've pushed to 5.6 and master, since 5.4 already has the fix. Thanks for reporting!

 [2014-05-02 08:18 UTC] glen at delfi dot ee

btw, why in NEWS is "George Wang" name not "Elan Ruusamäe" ? I reported and fixed it (provided patch)

 [2014-05-02 17:27 UTC] aharvey@php.net

I suspect it happened by accident: I think the NEWS was added later by someone else and they probably just worked off the committer name.

I've fixed it up (on all branches) to include you. Sorry about that!

 [2014-05-02 20:28 UTC] tyrael@php.net

it is as Adam guessed, Felipe cherry-picked/merged this commit into 5.6 and master but forgot to add a NEWS entry, and when I noticed, I used the commiter name without looking more into it.
sorry for the inconvenience, and thanks for the report and the patch!

 [2014-10-11 06:38 UTC] wofaday at qq dot com

this is a bug for php 5.6.1,why no body pay close attention to this ,and nobody to  modify to this ?
if you use php 5.6.1 make,it will show :
make: *** [sapi/litespeed/lsapi_main.lo] Error 1

but php 5.6.0 is ok

 [2014-10-11 09:04 UTC] glen at delfi dot ee

make new bugreport, and include actual error (all compile failures exit with status 1). your report is not related to this bugreport. stop hijacking issues!