nixpkgs docs: format hardening
This commit is contained in:
parent
5923f792e1
commit
911d22f88d
@ -1317,6 +1317,33 @@ in the default system locations.</para>
|
||||
|
||||
</section>
|
||||
|
||||
<section xml:id="sec-hardening-in-nixpkgs"><title>Hardening in Nixpkgs</title>
|
||||
|
||||
<para>By default some flags to harden packages at compile or link-time are set:</para>
|
||||
|
||||
<variablelist>
|
||||
|
||||
<varlistentry>
|
||||
<term><varname>hardening_format</varname></term>
|
||||
<listitem><para>Adds the <option>-Wformat -Wformat-security
|
||||
-Werror=format-security</option> compiler options. At present,
|
||||
this warns about calls to printf and scanf functions where the
|
||||
format string is not a string literal and there are no format
|
||||
arguments, as in <literal>printf(foo);</literal>. This may be
|
||||
a security hole if the format string came from untrusted input
|
||||
and contains <literal>%n</literal>.</para>
|
||||
|
||||
<para>This needs to be turned off or fixed for errors similar to:</para>
|
||||
|
||||
<programlisting>
|
||||
/tmp/nix-build-zynaddsubfx-2.5.2.drv-0/zynaddsubfx-2.5.2/src/UI/guimain.cpp:571:28: error: format not a string literal and no format arguments [-Werror=format-security]
|
||||
printf(help_message);
|
||||
^
|
||||
cc1plus: some warnings being treated as errors
|
||||
</programlisting></listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</section>
|
||||
|
||||
</chapter>
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user