Hi, Apache Mod_Jk fails to build with security hardening cflags [1]. As part as an ongoing effort in Debian, we are trying to build as much as possible "network" package with hardening features enabled [2]. Current failure is : /usr/share/apr-1.0/build/libtool --silent --mode=compile x86_64-linux-gnu-gcc -I/usr/include/apache2 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -DHAVE_CONFIG_H -DUSE_APACHE_MD5 -I ../common -I /include -I /include/unix -DLINUX=2 -D_FORTIFY_SOURCE=2 -D_GNU_SOURCE -D_REENTRANT -I/usr/include/apr-1.0 -I/usr/include/openssl -I/usr/include/xmltok -pthread -DHAVE_APR -I/usr/include/apr-1.0 -I/usr/include/apr-1.0 -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -DHAVE_CONFIG_H -c mod_jk.c -o mod_jk.lo mod_jk.c: In function 'jk_error_exit': mod_jk.c:678:5: error: format not a string literal and no format arguments [-Werror=format-security] mod_jk.c:684:9: error: format not a string literal and no format arguments [-Werror=format-security] cc1: some warnings being treated as errors [1] "-Wformat -Wformat-security -Werror=format-security" [2] http://wiki.debian.org/Hardening Regards,
First note, that the format string argument used in those two lines was explicitely sanitized by removing any % character just a few lines above that precisely because we pass it along without arguments. How to really fix this? I didn't find a way to tell gcc that this special argument is save. Starting with gcc 4.6 we could use a pragma to switch of format-security checking just for those lines. Which gcc version is Debian using? Any better ideas how to correctly signal gcc, that there is no problem here? In fact we do not use the ability to pass along arguments to format in jk_error_exit in the code for Apache 2.x, but we do use it in the code for 1.3 and I'm not yet ready to simply drop that feature. Regards, Rainer
Created attachment 28273 [details] Fix FTBFS with -Werror=format-security
Hi, FTR, Debian currently use GCC 4.6 (maybe GC 4.7 soon). I've attached a small patch done by tony mancill <tmancill@debian.org> to help fix this. Could you please consider this for inclusion ? Regards,
Thanks for the patch. on't know why I didn't consider that myself. Applied in r1240904. Will be part of 1.2.33.